header-logo
Suggest Exploit
vendor:
Dragoon CMS
by:
milw0rm.com
7.5
CVSS
HIGH
Local File Inclusion (LFI)
98
CWE
Product Name: Dragoon CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Dragoon CMS

Dragoon CMS is vulnerable to Local File Inclusion (LFI) vulnerability. The vulnerable code is present in the calendrier.php file which is located in the forum/kietu/libs/ directory. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request contains a parameter 'cal[lng]' with a value of [LFI] which can be used to include arbitrary files from the server.

Mitigation:

The best way to mitigate this vulnerability is to restrict access to the vulnerable file and also to validate user input.
Source

Exploit-DB raw data:

Script Name :Dragoon CMS
 
Download : http://sourceforge.net/project/showfiles.php?group_id=118780
 
Error :
$cal['lng']=$_GET['lng'];
include('../lang/'.$cal['lng'].'.php');
 
Vul Code : http://[site]/[path]/forum/kietu/libs/calendrier.php?cal[lng]=[LFI]

# milw0rm.com [2008-04-04]

Navigation

Suggest Exploit

Services By CQR