|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Thomas Seifert (thomas
phorum.org)Date: Sat May 18 2002 - 19:12:51 CDT
sorry no, this is not the same case.
The line you posted is inbetween a
if(file_exists("$PHORUM[settings_dir]/replace.php")) {
...
file_exists only works on local filesystems.
This may only work on the local server, if a user has access to it.
Thomas
On Sat, 18 May 2002 15:58:19 -0300
"Gabriel A. Maggiotti" <gmaggiotciudad.com.ar> wrote:
> Markus Arndt wrote:
>
> > Target:
> > Phorum 3.3.2a (prior versions?)
> >
> > Description:
> > In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users
> > include external php scripts and execute arbitary code.
>
> Also admin.php is explotable ;)
>
> forum/plugin/replace/admin.php: include("$PHORUM[settings_dir]/replace.php");
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]