Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Secure Login Manager Multiple Input Validation Vulnerabilities

[Full-disclosure] WordPress Persistent XSS

From:	hack2prison_(at)_yahoo.com <hack2prison_(at)_yahoo.com>
Date:	28.12.2006
Subject:	Host directory full disclosure and input error

Host directory is a product of scriptsfrenzy.com and alstrasoft.com
I check lastest version and maybe infected lower versions. I contacted
vendor 5 times in 2 months but not received any replies.
- FullPath disclosure: http://site.ext/path/ANY_INCORRECT_LINK
Warning: main(/home/user/public_html/include/ANY_INCORRECT_LINK.php):
failed to open stream: No such file or directory in
/home/user/public_html/include/main.php on line 25
- Backup database bypass: http://site.ext/path/admin/backup/db
- Change admin password without login:
http://site.ext/path/admin/config