Author : Ph03n1X http://student.te.ugm.ac.id/~phoenix03 Description Software : Xaraya v 1.0.1 http://xaraya.com PoC : 1. http://site.xxx/xaraya/xaraya-1.0.1/html/includes/xarTemplate.php Call to undefined function: xarcoregetvardirpath() in/usr/local/www/xaraya/xaraya-1.0.1/html/includes/xarTemplate.php on line 54 Vulner Code : define('XAR_TPL_CACHE_DIR',xarCoreGetVarDirPath() . '/cache/templates'); Fix : Create reference for function xarCoreGetVarDirPath() 2.http://site.xxx/xaraya/xaraya-1.0.1/html/includes/xarCore.php Warning: main(includes/xarPreCore.php): failed to open stream: No such file or directory in /usr/local/www/xaraya/xaraya-1.0.1/html/includes/xarCore.php on line 104 Warning: main(): Failed opening 'includes/xarPreCore.php' for inclusion (include_path='.:/usr/lib/php') in /usr/local/www/xaraya/xaraya-1.0.1/html/includes/xarCore.php on line 104 Vulner Code : include_once('includes/xarPreCore.php'); Fix : include_once('xarPreCore.php'); And many other links in directory includes/ Turn on log error and turn off display error in php.ini can use to fix this security issue
