nzFotolog v0.4.1 (Lfi)

vendor:

nzFotolog

by:

IRCRASH (R3d.W0rm)

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: nzFotolog

Affected Version From: 2000.4.1

Affected Version To: 2000.4.1

Patch Exists: NO

Related CWE: N/A

CPE: a:ricardo_amaral:nzfotolog:0.4.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

A vulnerability exists in nzFotolog v0.4.1 which allows an attacker to include a file from the local system. This can be exploited to execute arbitrary PHP code by including files from the local system which contain malicious code. The vulnerability is due to insufficient sanitization of user-supplied input to the 'action_file' parameter in 'index.php'. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal sequences and a URL-encoded NULL byte (%00) to the vulnerable script. This can be used to include arbitrary files from the local system which may contain malicious PHP code.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

#####################################################################################
####                           nzFotolog v0.4.1 (Lfi)                            ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm)                                                        #
#Discovered by : IRCRASH (R3d.W0rm)                                                 #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm                                         #
#####################################################################################
#                                                                                   #
#Script Download : www.nazgulled.net                                                #
#                                                                                   #
#DORK : "Powered by nzFotolog v0.4.1 Â© 2005-2006 Ricardo Amaral"                    #
#                                                                                   #
#####################################################################################
#                                       [Lfi]                                       #
#                                                                                   #
#http://Example/index.php?action_file=file.type%00                                  #
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-07-30]