header-logo
Suggest Exploit
vendor:
FarsiNews
by:
SecurityFocus
7.5
CVSS
HIGH
Directory-Traversal and Local File-Include
22
CWE
Product Name: FarsiNews
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

FarsiNews Directory-Traversal and Local File-Include Vulnerabilities

FarsiNews is prone to directory-traversal and local file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit the directory-traversal vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. The local file-include vulnerability lets the attacker include arbitrary local files. The impact of this issue depends on the content of the files included. If an attacker can place a malicious script on the vulnerable computer (either through legitimate means or through other latent vulnerabilities), then the attacker may be able to execute arbitrary code in the context of the webserver process. The attacker may also be able to use existing scripts to perform some malicious activity.

Mitigation:

Input validation should be used to prevent directory-traversal and local file-include attacks. Additionally, the web server should be configured to deny access to files and directories that are not necessary for the application to function.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/16580/info

FarsiNews is prone to directory-traversal and local file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit the directory-traversal vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process.

The local file-include vulnerability lets the attacker include arbitrary local files. The impact of this issue depends on the content of the files included. If an attacker can place a malicious script on the vulnerable computer (either through legitimate means or through other latent vulnerabilities), then the attacker may be able to execute arbitrary code in the context of the webserver process. The attacker may also be able to use existing scripts to perform some malicious activity.

http://www.example.com/show_archives.php?template=/../../[local-file]%00

Navigation

Suggest Exploit

Services By CQR