vendor:
SH-News
by:
bd0rk
7,5
CVSS
HIGH
Remote File Include
98
CWE
Product Name: SH-News
Affected Version From: 0.93
Affected Version To: 0.93
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
SH-News 0.93 (misc.php) Remote File Include Exploit
This exploit allows an attacker to execute arbitrary code on the vulnerable server by including a file from a remote web server through a vulnerable script on the web server. The vulnerable code is require "{$news_cfg['path']}/german.inc.php";
Mitigation:
The best way to mitigate this vulnerability is to ensure that user input is validated and filtered before being used in a file include statement.
