You can see physical patch of the site

The world's leading content management systems (CMS) written in PHP

Brought to you by: angelorocha, beckmi, cesag, irmtfan, and 3 others

#96 You can see physical patch of the site

Milestone: XOOPS_2.0_RC3_(old)

Status: closed

Owner: nobody

Labels: Core - Core (796)

Priority: 5

Updated: 2012-09-25

Created: 2003-05-14

Creator: Kuba Zygmunt

Private: No

Hi,

As in title, you can see physical patch of the site or i
could be use to script inject exploit.

I type in my browser:
e.g. www.xoops.org/header.php
and get:
Warning: main
(XOOPS_ROOT_PATH/class/xoopsblock.php)
[function.main]: failed to create stream: No such file or
directory in /home/xoops/public_html/header.php on line
28

Warning: main() [function.main]: Failed
opening 'XOOPS_ROOT_PATH/class/xoopsblock.php'
for inclusion (include_path='.:/usr/local/lib/php')
in /home/xoops/public_html/header.php on line 28

Warning: main
(XOOPS_ROOT_PATH/class/template.php)
[function.main]: failed to create stream: No such file or
directory in /home/xoops/public_html/header.php on line
62

Fatal error: main() [function.main]: Failed opening
required 'XOOPS_ROOT_PATH/class/template.php'
(include_path='.:/usr/local/lib/php')
in /home/xoops/public_html/header.php on line 62

the header.php cointains:
include_once
XOOPS_ROOT_PATH.'/class/xoopsblock.php';

so if we can change XOOPS_ROOT_PATH we can run
a bad xoopsblock.php (if we have on
www.myserver.com/class/xoopsblock.php)

I don't know if it serious, but I've found in other files
something like that.

KubaZ

You can see physical patch of the site

The world's leading content management systems (CMS) written in PHP

Group

Searches

Help

#96 You can see physical patch of the site

Discussion