vendor:
Ptag
by:
cr4wl3r
9.3
CVSS
HIGH
Remote File Inclusion (RFI)
98
CWE
Product Name: Ptag
Affected Version From: 4.0.0
Affected Version To: 4.0.0
Patch Exists: NO
Related CWE: N/A
CPE: a:ptag:ptag
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: GNU/LINUX
2009
Ptag <= 4.0.0 Multiple RFI Exploit
Ptag <= 4.0.0 is vulnerable to Remote File Inclusion (RFI) attacks. An attacker can exploit this vulnerability by sending a maliciously crafted URL to the vulnerable application. This can allow the attacker to execute arbitrary code on the server. The vulnerable files are session.php and sql.php, which are located in the lib directory. The attacker can exploit this vulnerability by sending a maliciously crafted URL to the vulnerable application, which includes the path to the malicious file. This can allow the attacker to execute arbitrary code on the server.
Mitigation:
The best way to mitigate this vulnerability is to ensure that all user-supplied input is properly sanitized and validated. Additionally, the application should be configured to only allow access to trusted files.