phpNagios v 1.2.0 (menu.php) LFI Vulnerability

vendor:

phpNagios

by:

CoBRa_21

7.5

CVSS

HIGH

Local File Inclusion (LFI)

CWE

Product Name: phpNagios

Affected Version From: 1.2.2000

Affected Version To: 1.2.2000

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

phpNagios v 1.2.0 (menu.php) LFI Vulnerability

A vulnerability exists in phpNagios v 1.2.0 due to improper validation of user-supplied input in the 'conf[lang]' parameter of the 'menu.php' script. This can be exploited to include arbitrary local files by passing directory traversal strings to the 'conf[lang]' parameter.

Mitigation:

Input validation should be used to prevent directory traversal attacks.

Source

Exploit-DB raw data:

-------------------------------------------------------------------------------------
phpNagios v 1.2.0 (menu.php) LFI Vulnerability
-------------------------------------------------------------------------------------
 
Author: CoBRa_21
 
Mail: uyku_cu[at]windowslive[dot]com
 
Script Download: http://sourceforge.net/projects/phpnagios/
 
-------------------------------------------------------------------------------------
 
EXPLOÄ°T:
 
http://localhost/[PATH]/menu.php?conf[lang]= [LFÄ°]
 
-------------------------------------------------------------------------------------
 
BUG
Line 28:        include_once("lib/lang/".$conf['lang']."/menu.php");
 
-------------------------------------------------------------------------------------

# milw0rm.com [2009-09-09]