Xonic.ru News 1.0 - 'script.php' Remote Command Execution

Author: DWC Gr0up
type: webapps
platform: php
port: 
date_added: 2003-03-31 
date_updated: 2012-11-05 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/7365/info

A vulnerability has been reported for Xonic.ru News. The problem occurs due to insufficient sanitization of user-supplied data to the 'script.php' file. As a result, it may be possible for an attacker to pass malicious PHP or shell commands in requests to a target server. All commands would be executed on the system with the privileges of the vulnerable application.

http://www.example.org/admin/script.php?data=script.php?data=<? system($cmd) ?>