vendor:
WebCreator
by:
Dedi Dwianto a.k.a the_day
9
CVSS
CRITICAL
Remote File Inclusion
CWE
Product Name: WebCreator
Affected Version From:
Affected Version To: 0.2.6-rc3
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2007
WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability
Input passed to the "$moddir" parameter in load.inc.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources.
Mitigation:
Sanitize variable $moddir affected files. Turn off register_globals