NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2006-08

Re: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability

From: Carsten Eilers (ceilers-listsgmx.de)
Date: Sun Aug 13 2006 - 07:31:44 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

sh3llsh3ll.ir schrieb am Thu, 10 Aug 2006 20:53:46 +0000:

>Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php ,
>PageBottom.php
>
>& PageTop.php

Take a look at config.php:

$cfgLanguage = 'uk'; // Which language do you prefer :
                                                                // uk = English
                                                                // nl = Dutch
                                                                // de = German

config.php is included in edit.php, new.php, PageBottom.php
and PageTop.php at the top of the file, in functions.php at
the top of relevant functions.

No way to include something with cfgLanguage.

Regards
Carste

--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]