-=[--------------------ADVISORY-------------------]=- logahead UNU edition 1.0 Author: CorryL [corryl80 (at) gmail (dot) com [email concealed]] -=[-----------------------------------------------]=- -=[+] Application: logahead UNU edition -=[+] Version: 1.0 -=[+] Vendor's URL: http://typo.i24.cc/logahead/ -=[+] Platform: WindowsLinuxUnix -=[+] Bug type: Remote Upload file & Code execution -=[+] Exploitation: Remote -=[-] -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org -=[+] Virtual Office: http://www.kasamba.com/CorryL -=[+] Irc Chan: irc.darksin.net #x0n3-h4ck -=[+] Special Thanks: Merry Christmas for All, Thanks for all #x0n3-h4ck member, un saluto a tutti gli avolesi nel mondo. ..::[ Descriprion ]::.. You might already have heard of logahead - the ajaxified blogging engine using PHP4 and mySQL database by James from the UK. The UNU edition is based on the logahead beta 1.0 code published under GNU/GPL license. While the original version sticks to the basic functions of a blog (mainly publishing posts and receiving comments), the UNU edition is more enchanted and offers a number of additional features. ..::[ Bug ]::.. My give searches the form Widgets of this blog is results vulnerability, in fact a remote attaker is able to upload also a file php, and to perform arbitrary commands inside the server victim. ..::[ Proof Of Concept ]::.. http://www.server-victim/extras/plugins/widged/_widged.php?A=U&D= ..::[ Disclousure Timeline ]::.. [25/12/2006] - Public disclousure