TUCoPS :: Web :: PHP :: bx2168.htm

PHPMyTourney Remote file include Vulnerability
PHPMyTourney Remote file include Vulnerability
PHPMyTourney Remote file include Vulnerability


Hello=0D
=0D
PHPMyTourney Remote file include Vulnerability=0D
=0D
Discovered By : HACKERS PAL=0D
Copy rights : HACKERS PAL=0D
Website : http://www.soqor.net=0D 
Email Address : security@soqor.net=0D 
=0D
home page : http://phpmytourney.sourceforge.net=0D 
=0D
Script : PHPMyTourney=0D
=0D
=0D
vulnerable file : phpmytourney/sources/tourney/index.php=0D
=0D
code=0D
         $page = $_GET['page'];=0D
         if(isset($page))=0D
            include($page . '.php');=0D
         else=0D
            echo("must specify a page ");=0D
lines 45-49=0D
=0D
fast solution=0D
replace with=0D
=0D
if(file_exists($page . '.php') and !eregi(".",$page) and !eregi(":",$page) and !eregi("/",$page))=0D
{=0D
            include($page . '.php');=0D
}=0D
else=0D
{=0D
            echo("must specify a page ");=0D
}=0D
=0D
phpmytourney/sources/tourney/index.php?page=[Evil-Script]=0D
=0D
=0D
=0D
#WwW.SoQoR.NeT

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH