Local File Inclusion in Phreebooks v2.0

vendor:

Phreebooks

by:

Gustavo Sorondo

5,5

CVSS

MEDIUM

Local File Inclusion

CWE

Product Name: Phreebooks

Affected Version From: Phreebooks v2.0

Affected Version To: Phreebooks v2.0

Patch Exists: N/A

Related CWE: N/A

CPE: a:phreebooks:phreebooks:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Any running Phreebooks v2.0

2010

Local File Inclusion in Phreebooks v2.0

A vulnerability has been found in Phreebooks v2.0 which allows malicious people to include local files by entering special characters in variables used to create file paths. The attackers use “../” sequences to move up to root directory, thus permitting navigation through the file system. The files are included into the scripts and its contents executed by the server.

Mitigation:

N/A

Source

Exploit-DB raw data:

Advisory Name: Local File Inclusion in Phreebooks v2.0
Internal Cybsec Advisory Id:
Vulnerability Class: Local File Inclusion
Release Date: 2010-05-26
Affected Applications: Phreebooks v2.0
Affected Platforms: Any running Phreebooks v2.0
Local / Remote: Remote
Severity: Medium – CVSS: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Researcher: Gustavo Sorondo
Vendor Status: N/A
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
Vulnerability Description:
A vulnerability has been found in Phreebooks v2.0 which allows malicious people to include local files
by entering special characters in variables used to create file paths. The attackers use “../” sequences to
move up to root directory, thus permitting navigation through the file system.
The files are included into the scripts and its contents executed by the server.


Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/13777.pdf (cybsec_advisory_2010_0602_Phreebooks_v2_0_Local_File_Inclusion.pdf)