New CMS Local File Inclusion

vendor:

New CMS

by:

Xash

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: New CMS

Affected Version From: <= 1.12

Affected Version To: <= 1.12

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

New CMS Local File Inclusion

New CMS is vulnerable to Local File Inclusion (LFI) vulnerability. An attacker can exploit this vulnerability to include local files on the server and execute arbitrary code. The vulnerable parameter is 'pg' which is not properly sanitized before being used in the include() function.

Mitigation:

Input validation should be used to prevent the inclusion of malicious files. The application should also be configured to use a whitelist of allowed files and directories.

Source

Exploit-DB raw data:

# Exploit Title: New CMS Local File Inclusio
# Date: 24 March 2010
# Author: Xash
# Software Link: http://vaniarupeni.altervista.org/index.php?lng=it&mod=download&pg=download&c=5&download=1219238459
# Version: <= 1.12

================================================
__ __ _
\ \/ /__ _ ___| |__
\ // _` / __| '_ \
/ \ (_| \__ \ | | |
/_/\_\__,_|___/_| |_|

> New CMS Local File Inclusion <

================================================

[+ Author] : Xash

[+ Type] : Local File Inclusion

[+ Name] : New CMS

[+ Version] : <= 1.12

[+ Download] : http://vaniarupeni.altervista.org/index.php?lng=it&mod=download&pg=download&c=5&download=1219238459

[+ Usage] : http://[site]/index.php?pg=[LFI]

[03-24-2010]