Pluck 'predefined_variables.php' Multiple Local File Include Vulnerabilities

Bugtraq ID:	30218
Class:	Input Validation Error
CVE:	CVE-2008-3194
Remote:	Yes
Local:	No
Published:	Jul 14 2008 12:00AM
Updated:	May 07 2015 05:27PM
Credit:	AmnPardaz Security Research Team
Vulnerable:	Pluck Pluck 4.5.1
Not Vulnerable:

Pluck 'predefined_variables.php' Multiple Local File Include Vulnerabilities

Pluck is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.

Pluck 4.5.1 is vulnerable; other versions may also be affected.

Pluck 'predefined_variables.php' Multiple Local File Include Vulnerabilities

Attackers can exploit these issues using a browser.

The following example URI is available:

http://www.example.com/pluck-4_5_1/data/inc/themes/predefined_variables.php?blogpost=../../../../../../../../etc/resolv.conf

Pluck 'predefined_variables.php' Multiple Local File Include Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Pluck 'predefined_variables.php' Multiple Local File Include Vulnerabilities

References:

• Pluck Homepage (Pluck)
  
• Pluck Local File inclusion ([email protected])