[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20060817200412.31993@mail.gmx.de>
Date: Thu, 17 Aug 2006 22:04:12 +0200
From: "Carsten Eilers" <ceilers-lists@....de>
To: <dr.t3rr0r1st@...oo.com>, <bugtraq@...urityfocus.com>
Subject: Re: discloser 0.0.4 Remote File Inclusion (with Exploit)
Hi,
dr.t3rr0r1st@...oo.com schrieb am Wed, 16 Aug 2006 21:51:24 +0000:
>$req = HTTP::Request->new(GET =>$bpath.
>'plugins/plugins.php?>type='.$cmdo.'?&'.$bcmd.'='.$cmd)
>or die "\n Could not connect !\n";
With other words: You want to use parameter 'type' in
plugins/plugins.php.
But in plugins/plugins.php we have
| <?
|
| // add additional types to the below array.
|
| $avail_types = array('short', 'long');
| $_SESSION['avail_types'] = $avail_types;
| foreach ($avail_types as $type) {
| include($type . ".plugin.php");
| }
|
|
| ?>
As you can see is $type set to values of $avail_types,
which is intialized two lines above. So there ist no
way to manipulate either $type or $avail_types.
So there is no vulnerability, here.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
<http://www.ceilers-it.de>
Powered by blists - more mailing lists