Home page logo

bugtraq logo Bugtraq mailing list archives

logahead UNU edition 1.0 Remote File Upload & code execution
From: corrado.liotta () alice it
Date: 25 Dec 2006 21:13:38 -0000

              logahead UNU edition 1.0     
  Author: CorryL    [corryl80 () gmail com]   

-=[+] Application:    logahead UNU edition
-=[+] Version:        1.0
-=[+] Vendor's URL:   http://typo.i24.cc/logahead/ 
-=[+] Platform:       Windows\Linux\Unix
-=[+] Bug type:       Remote Upload file & Code execution
-=[+] Exploitation:   Remote
-=[+] Author:          CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:       www.x0n3-h4ck.org
-=[+] Virtual Office:  http://www.kasamba.com/CorryL
-=[+] Irc Chan:        irc.darksin.net #x0n3-h4ck        
-=[+] Special Thanks: Merry Christmas for All, Thanks for all  #x0n3-h4ck member, 
                                  un saluto a tutti gli avolesi nel mondo.

..::[ Descriprion ]::..

You might already have heard of logahead - the ajaxified blogging engine using PHP4 and mySQL database by James from 
the UK.
The UNU edition is based on the logahead beta 1.0 code published under GNU/GPL license. While the original version 
sticks to the basic functions of a blog (mainly publishing posts and receiving comments), the UNU edition is more 
enchanted and offers a number of additional features.

..::[ Bug ]::..

My give searches the form Widgets of this blog is results vulnerability, in fact
a remote attaker is able to upload also a file php, and to perform arbitrary commands
inside the server victim.

..::[ Proof Of Concept ]::..


..::[ Disclousure Timeline ]::..

 [25/12/2006] - Public disclousure

  By Date           By Thread  

Current thread:
  • logahead UNU edition 1.0 Remote File Upload & code execution corrado . liotta (Dec 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]