ECHO_ADV_48$2006 ----------------------------------------------------------------------------------------------- [ECHO_ADV_48$2006] WebYep <= 1.1.9 (webyep_sIncludePath) Multiple Remote File Inclusion Vulnerability ----------------------------------------------------------------------------------------------- Author : Dedi Dwianto a.k.a the_day Date Found : October, 05th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv48-theday-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : WebYep version : <=1.1.9 URL : http://www.obdev.at WebYep is a compact Web Content Management System for extremely simple creation of editable web pages. It is a low priced alternative for small to medium web sites --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~ In folder webyep-system/programm/lib found vulnerability script WYApplication.php ---------------------------WYApplication.php--------------------------------------- ....