Monster Top List Remote File Include Network Vulnerability

Summary

The remote web server contains a PHP application that is affected by a remote file include vulnerability. Description : The remote host is running Monster Top List, a site rating script written in PHP. The installed version of Monster Top List fails to sanitize user input to the 'root_path' parameter in sources/functions.php before using it to include PHP code from other files. An unauthenticated attacker may be able to read arbitrary local files or include a file from a remote host that contains commands which will be executed on the remote host subject to the privileges of the web server process. This flaw is only exploitable if PHP's 'register_globals' is enabled.

Solution

Unknown at this time.

References

http://pridels.blogspot.com/2006/04/monstertoplist.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2006-1781

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Andy's PHP Knowledgebase 's' Parameter SQL Injection Vulnerability
AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
Awstats Configuration File Remote Arbitrary Command Execution Vulnerability
Allegro RomPager `Misfortune Cookie` Vulnerability
Andy's PHP Knowledgebase 'step5.php' Remote PHP Code Execution Vulnerability

Take action and discover your vulnerabilities