PHPMyFAQ Local File Include Vulnerability

vendor:

PHPMyFAQ

by:

SecurityFocus

7.5

CVSS

HIGH

Local File Include

CWE

Product Name: PHPMyFAQ

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

PHPMyFAQ Local File Include Vulnerability

PHPMyFAQ is prone to a local file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary server-side script code that resides on an affected computer with the privileges of the Web server process. This may potentially facilitate unauthorized access. It should be noted that this issue may also be leveraged to read arbitrary files on an affected computer with the privileges of the Web server.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/14929/info

PHPMyFAQ is prone to a local file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary server-side script code that resides on an affected computer with the privileges of the Web server process. This may potentially facilitate unauthorized access.

It should be noted that this issue may also be leveraged to read arbitrary files on an affected computer with the privileges of the Web server. 

http://www.example.com/[path]/phpmyfaq/index.php?LANGCODE=/../../../../../../etc/passwd%00
http://www.example.com/[path]/phpmyfaq/index.php?LANGCODE=/../../../../[scriptname]