vendor:
STWC-Counter
by:
burncycle
7.5
CVSS
HIGH
File Inclusion
98
CWE
Product Name: STWC-Counter
Affected Version From: 3.4.0.0
Affected Version To: 3.4.0.0
Patch Exists: NO
Related CWE:
CPE: a:stwc-counter:stwc-counter:3.4.0.0
Platforms Tested:
2007
File Inclusion Exploit for STWC-Counter
This is a file inclusion exploit for STWC-Counter <= 3.4.0.0. The exploit allows an attacker to include arbitrary files on the target system. It requires the target system to have the cURL extension of PHP installed and specific PHP settings (register_globals = On, allow_url_fopen = On, allow_url_include = On). The exploit works by manipulating the 'downloadcounter.php' script and injecting a path to a shell file. The exploit can also be used with a proxy.
Mitigation:
To mitigate this vulnerability, it is recommended to update to a version of STWC-Counter that is not affected by this exploit. Additionally, ensure that PHP settings are properly configured to prevent file inclusion vulnerabilities.