header-logo
Suggest Exploit
vendor:
PotatoNews
by:
Unknown
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: PotatoNews
Affected Version From: 1.0.2
Affected Version To: Unknown
Patch Exists: No
Related CWE: Unknown
CPE: a:potatonews:potatonews:1.0.2
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

PotatoNews Multiple Local File Inclusion Vulnerabilities

PotatoNews is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

Mitigation:

It is recommended to update to the latest version of PotatoNews to mitigate these vulnerabilities. Additionally, input validation and sanitization should be implemented to prevent file inclusion attacks.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/39276/info

PotatoNews is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

PotatoNews 1.0.2 is vulnerable; other versions may also be affected.

http://www.example.com/newcopy/timeago.php?nid=../../../../../../../[file]%00
http://www.example.com/update/timeago.php?nid=../../../../../../../[file]%00

Navigation

Suggest Exploit

Services By CQR