Main Vulnerability Database Exploits ID:5878 - Exploit for Local PHP file inclusion in Gila CMS - CVE-2019-16679

ID:5878 - Exploit for Local PHP file inclusion in Gila CMS - CVE-2019-16679

Published: June 17, 2021

Vulnerability identifier: #VU21276

Vulnerability risk: Low

CVE-ID: CVE-2019-16679

CWE-ID: CWE-98

Exploitation vector: Remote access

Vulnerable software:
Gila CMS

Link to public exploit:

https://www.exploit-db.com/exploits/47407/

Vulnerability description

The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files in the "f" parameter in "admin/fm" URL. A remote authenticated administrator can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

PoC:

http://[host]/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts

Remediation

Install updates from vendor's website.

ID:5878 - Exploit for Local PHP file inclusion in Gila CMS - CVE-2019-16679

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human