vendor:
TextSend
by:
nuffsaid
7,5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: TextSend
Affected Version From: TextSend <= 1.5
Affected Version To: TextSend <= 1.5
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006
TextSend <= 1.5 (config/sender.php) Remote File Include Vulnerability
TextSend config/sender.php does not initialize the $ROOT_PATH variable before using it to include files, assuming register_globals = on, we can initialize the variable in a query string and include a remote file of our choice.
Mitigation:
Initialize the $ROOT_PATH variable before using it to include files.
