Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: bt1343.txt

Les Visiteurs v2.0.1 code injection vulnerability

Les Visiteurs is a great statistics script written in php.

It gives you some graphicals informations on visitors of

your website.

This script was distributed by but is no more

maintained since a year.


In this version severals unprotected includes can be found 

in files:

- include/

- include/

It is possible to include a php file from a backdoor server, 

and execute it on the target's server.

You just have to create on the backdoor srv these files:

- lang/<lang>.inc.php

- db/

fill one with something like:


echo '<?

echo "<br><br>included from backdoor server :p<br>";



and call an url as:



Because the script is not maintained and will not be patched,

i make some tarballs with a patched version.

You will find it at this url:

Matthieu Peschaud

Epita - France

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH