[quote] By Hasadya Raed ... Script : SoftNews Media Group ... Exploits: http://www.Victim.com/engine/init.php?root_dir=[Shell-Attack] http://www.Victim.com/engine/Ajax/editnews.php?root_dir=[Shell-Attack] ------------------------------------ By Hasadya Raed [/quote] fake, obviously [quote] Vulnerable: Softnews Media Group DataLife Engine 5.5 Softnews Media Group DataLife Engine 4.1 [/quote] let's see as for DLE 5.5: 1) first php code lines in init.php: if(!defined('DATALIFEENGINE')) { die("Hacking attempt!"); } 2) what about root_dir: foster@fiber dle5.5 $ grep root_dir ./engine/init.php foster@fiber dle5.5 $ No variable with 'root_dir' name... foster@fiber dle5.5 $ grep -i root_dir ./engine/init.php if (@is_dir(ROOT_DIR.'/templates/'.$category_skin)) if (@is_dir(ROOT_DIR.'/templates/'.$_REQUEST['skin_name']) AND $_REQUEST['skin_name'] != '') if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin'])) include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng'; include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng'; $tpl->dir = ROOT_DIR.'/templates/'.$config['skin']; require_once ROOT_DIR.'/engine/engine.php'; ROOT_DIR - is defined constant, not variable. So, nobody can define it with GET query :) The same for "engine/Ajax/editnews.php": foster@fiber dle5.5 $ egrep -i root_dir engine/ajax/editnews.php define('ROOT_DIR', '../..'); if (@is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin'])) include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng'; include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng'; Regards, Foster [RST/GHC]
