Re: phpLedAds 2.0(dir) File Include

To: mahmood ali <mah_k_2000@xxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: phpLedAds 2.0(dir) File Include
From: Stefano Zanero <s.zanero@xxxxxxxxxxxxxxxx>
Date: Wed, 01 Nov 2006 16:26:11 +0100
In-reply-to: <BAY105-F28FF9118980510E3A4F716C2040@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Secure Network S.r.l.
References: <BAY105-F28FF9118980510E3A4F716C2040@xxxxxxx>
User-agent: Thunderbird 1.5.0.7 (X11/20060926)

mahmood ali wrote:
> phpLedAds 2.0(dir) File Include

> Vulnerable Code:_
> 
> click.php & ledad.php & ledad_js.php

> In Line 41 :_
> 
> require_once($dir . '/ad_class.php');

Right above that:

        $dir = dirname(__FILE__);
        if(empty($dir)) {
                $dir = getcwd( );
        }
        if(empty($dir)) {
                $dir = '.';
        }

So, this is once again a case of LUGCS (Lame Usage of Google Code Search).

Flag as bogus, please...

(Gadi, how right are you...)

Stefano

References:
- phpLedAds 2.0(dir) File Include
  - From: mahmood ali

Prev by Date: Cross Site Scripting (XSS) Vulnerability in Netquery by "VIRtech"
Next by Date: Cisco Security Advisory: Cisco Security Agent Management Center LDAP Administrator Authentication Bypass
Previous by thread: phpLedAds 2.0(dir) File Include
Next by thread: [funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far) (fwd)
Index(es):
- Date
- Thread