XT-Conteudo (XOOPS Module) Remote File Inclusion Vulnerability

vendor:

XT-Conteudo module

by:

FiSh

5.5

CVSS

MEDIUM

Remote File Inclusion

CWE

Product Name: XT-Conteudo module

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

XT-Conteudo (XOOPS Module) Remote File Inclusion Vulnerability

This vulnerability allows an attacker to include remote files in the XT-Conteudo module for XOOPS CMS. The vulnerable code is located in the 'spaw_control.class.php' file, where it includes the 'spaw_control.config.php', 'toolbars.class.php', and 'lang.class.php' files without proper validation. An attacker can exploit this by providing a malicious URL as the 'spaw_root' parameter, leading to remote file inclusion and potential code execution.

Mitigation:

Update the XT-Conteudo module to the latest version that includes a fix for this vulnerability. Alternatively, implement proper input validation and sanitization to prevent remote file inclusion attacks.

Source

XT-Conteudo (XOOPS Module) Remote File Inclusion Vulnerability

Mitigation:

Exploit-DB raw data: