vendor:
TenderSystem
by:
Packetdeath
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: TenderSystem
Affected Version From: 0.9.5 Beta
Affected Version To: 0.9.5 Beta
Patch Exists: NO
Related CWE: N/A
CPE: a:tendersystem:tendersystem:0.9.5_beta
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009
TenderSystem 0.9.5 Beta Local File Inclusion Vulnerability
TenderSystem 0.9.5 Beta is vulnerable to Local File Inclusion. An attacker can exploit this vulnerability to include local files on the server. This can be exploited by sending a specially crafted HTTP request with directory traversal sequences and a null byte (%00) to the vulnerable application. This can be used to read sensitive files from the server.
Mitigation:
The application should filter user input and validate the input for malicious characters. The application should also restrict the user to access only the files that are necessary for the application to function.