Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP TopSites Vendors:   iTop10.Net
PHP Topsites 'counter.php' Input Validation Flaw Lets Remote Users Modify Files on the System
SecurityTracker Alert ID:  1006368
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 24 2003
Impact:   Denial of service via network, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 2.0
Description:   Trent Pb reported a vulnerability in PHP Topsites. A remote user can modify some files on the server.

A remote user can reportedly specify an arbitrary file name for the 'count_log_file' variable to cause the counter.php script to overwrite the specified file with a series of numbers.

[Editor's note: The report does not indicate if a relative path or absolute path to another directory is permitted or not.]

A demonstration exploit web form is provided in the Source Message.

Skull Hacker is credited with discoving this flaw.

Impact:   A remote user can overwrite files on the target system that are writable by the web server process.
Solution:   No vendor solution was available at the time of this entry. The author of the report has provided an unofficial patch for the counter.php file, available in the Source Message.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  PHP TopSites 2.0 Remote Destroy Exploit

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hello i found this exploit in PHP Topsites 2.0 all the info is in the text 
file - Thanx !


Content-Type: text/plain; charset=us-ascii;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;


PHP Topsites 2.0 Remote Destroy Exploit

Discovered By Skull Hacker 24/3/03


Greetz, I found a vulnrebility in counter.php on PHP Topsites 2.0 a remote 
attacker can open and replace a file off thier choice on the server with 
lines of numbers. I have included a patch and exploit as seen below.


Simply change the URL too the Vulnrible TopSite URL save, run and click 
destroy !


<TITLE>PHP Topsites 2.0 Remote Destroy Exploit. Found By Skull 


<P><B><FONT FACE="Arial">PHP
Topsites 2.0 Remote Destroy Exploit
- Discovered By Skull Hacker
<A HREF=""></A>
</FONT><FONT SIZE="2">Click
destroy and the Topsites will then be
fully erased and replaced with
numbers. Enjoy ! note: Change the count_log_file=index.php too any file u 
want too overwrite on the server.<BR>

<INPUT TYPE="submit" VALUE="Destroy" NAME="B1"></P>




Open counter.php and replace all of it with this and remember too change the 
log file in this patch.


$count_log_file = "--Your Log File--"; // Patch For TopSites 2.0 counter.php 
Remote Destroy Exploit By Skull Hacker.

$counter_file_line = file($count_log_file);
$counter_file_line[0] = $counter_file_line[0]+1;

$cf = fopen($count_log_file, "w");
fputs($cf, "$counter_file_line[0]");

$display = $counter_file_line[0];

if ($counter_file_line[0] >= 10000000) {
	$display = round(($counter_file_line[0]/1000000))."M";

elseif ($counter_file_line[0] >= 100000) {
	$display = round(($counter_file_line[0]/1000))."K";

echo $display;




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC