vendor:
LightBlog
by:
JosS
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: LightBlog
Affected Version From: 9.8
Affected Version To: 9.8
Patch Exists: NO
Related CWE: N/A
CPE: a:publicwarehouse:lightblog
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
LightBlog 9.8 (GET,POST,COOKIE) Multiple Local File Inclusion Vulnerabilies
LightBlog 9.8 is vulnerable to multiple Local File Inclusion vulnerabilities. An attacker can exploit these vulnerabilities to include arbitrary local files on the affected system, which can lead to further attacks. The vulnerabilities exist due to insufficient sanitization of user-supplied input passed to the 'username' parameter in 'view_member.php', 'username_post' parameter in 'login.php' and 'Lightblog_username' cookie in 'check_user.php' scripts. An attacker can exploit these vulnerabilities by sending a specially crafted HTTP request containing directory traversal sequences and a URL-encoded NULL byte (%00) to the vulnerable scripts.
Mitigation:
Input validation should be used to prevent directory traversal attacks. All user-supplied input should be validated and filtered for malicious characters.