| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Sep 2006 22:43:26 -0400 From: Craig Morrison <craig@...hpalace.org> To: bugtraq@...urityfocus.com Subject: Re: Plume CMS <= 1.1.10 [prepend.php] Remote File Include Vulnerability D3nGeR@...il.CoM wrote: > Vendor: Plume CMS 1.1.10 > > Found By : D3nGeR > > Scripit Site : http://plume-cms.net > > > > in file [prepend.php] > > > > ; > > include_once $_PX_config['manager_path'].'/inc/class.config.php' > > > > code > > http://site.com/[path]manager/frontinc/prepend.php?_PX_config[manager_path]=[shell code ] > You can't call prepend.php in that path directly, it's protected by: if (basename($_SERVER['SCRIPT_NAME']) == 'prepend.php') exit; In config.php $_PX_config[manager_path] is explicitly set.. And while not included in prepend.php, that file is included in others before access, so there is no vulnerability.. -- Craig Morrison =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= http://pse.2cah.com Controlling pseudoephedrine purchases. http://www.mtsprofessional.com/ A Win32 email server that works for You.
Powered by blists - more mailing lists