Disclosure on Froogle php script and setup.php unauthorice access

Tuesday, December 14, 2004

############################################
disclosure on Froogle php script by http://www.68designs.com/
target: froogle script version 1.0
vendor url: http://www.68designs.com/kb/link.php?id=5
impact: disclosure of instalation path .unauthoriced access
Xploit include: yes vendor informed :yes
OSVDB ID:12481
Secunia:SA13504
Securitytracker:1012553
############################################

Froogle script is a php web base script for adding in a ecomerce suit or store
and manage easy the Froogle´s account or offert products from Froogle.

In a defaults instalations this script need for install a file caled 'setup.php'
(no authentication is needed for run the script) any user can call
this file and reinstall the aplication in certs cases or obtain
administrative access to the aplication.
proof of concept :

http://[target]/froogle_path/setup.php
http://[target]/froogle/setup.php?option=step1
http://[target]/froogle/setup.php?option=step2

atentamente:
Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to all who believed in me

Securitytracker url: http://securitytracker.com/alerts/2004/Dec/1012553.html

--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...