AOH :: HP Unsorted A :: B06-2385.HTM

Artmedic newsletter 4.1 remote code execution
Remote Code Execution in artmedic Newsletter 4.1
Remote Code Execution in artmedic Newsletter 4.1

I found a bug in artmedic Newsletter 4.1 (proably even in newer versions) which lets an attacker run arbitrary php-code and bypass the password protection.

The reason for this is mistake in design.


Usually the log.php is included and $logfile,$logtime and $email are declared in the parent document. If we run "log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert php code here -->" we get a file anyfile.anyext with following content:

unixtimestamp&&date&&<-- php code -->&&

a simple example to reveal the admin pw Hash is


just launch info.php?cur=include.php and you will see it.

to kill the entry type:


vendor has not yet been informed, but he will be as soon as possible ...



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to