Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12761
HistoryMay 23, 2006 - 12:00 a.m.

Destiney Links Script v2.1.2

2006-05-2300:00:00
vulners.com
5
JSON

Destiney Links Script v2.1.2 - XSS Vulnv & Full path errors.

Homepage:

http://destiney.com/scripts

Description:
Destiney Links is an Open Source project written in PHP for use with the MySQL Server entity. Links provides a pre-built,
dynamically generated, Link site. Links counts referrers in and out for listed sites. Links provides site categorization up
to 5 levels dee

Effected Files:
index.php

Exploits:

Almost all files called directly from the /include/ folder and /themes/original/ displays full path disclosure errors.

Input data in the Search and Add a Site forms arent filtered and sanatized. Attacks such as XSS' can occure because of that.

URL injection of index.php can lead to full path disclosure errors.

URL Example:
http://links.destiney.com/index.php?show=pop'

Warning: include(include/pop\'.php) [function.include]: failed to open stream: No such file or directory in
/home/destiney/domains/examplesite.com/public_html/index.php on line 98

Warning: include() [function.include]: Failed opening 'include/pop\'.php' for inclusion
(include_path='.:/usr/share/php5:/usr/share/php') in /home/destiney/domains/examplesite.com/public_html/index.php on line 98

JSON