|
Dagger default.php File Inclusion Vulnerabilities |
|
|
|
|
Written by Marcelo Almeida (Vympel)
|
|
Tuesday, 24 June 2008 |
CraCkEr has discovered two vulnerabilities in Dagger, which can be
exploited by malicious people to compromise a vulnerable system.
Input passed to the "dir_inc" and "dir_edge_skins" parameters in
skins/default.php is not properly verified before being used to include
files. This can be exploited to include arbitrary files from local or
external resources...
Successful exploitation requires that "register_globals" is enabled.
The vulnerabilities are confirmed in version r12feb2008. Other versions may also be affected.
Solution:
Edit the source code to ensure that input is properly verified.
Provided and/or discovered by:
CraCkEr
Original Advisory:
http://milw0rm.com/exploits/5916
Original Article:
http://secunia.com/advisories/30771/
Powered by a Zone-H(ified) version of AkoComment 3.0!
DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice. |
