CVE-2008-4626

yappa-ng 2.3.2-2.3.3-beta0 - Path Traversal via Album Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-4626. PoCs published by Vrs-hCk.

AI-analyzed exploit summary This is a writeup describing a Local File Include (LFI) vulnerability in yappa-ng Version 2.3.2. The exploit leverages a null byte injection to include arbitrary local files via the 'album' parameter.

Description

Directory traversal vulnerability in index.php in Fritz Berger yet another php photo album - next generation (yappa-ng) 2.3.2 and possibly other versions through 2.3.3-beta0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the album parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Vrs-hCk · textwebappsphp

https://www.exploit-db.com/exploits/6788

View Code ZIP pw:eip

This is a writeup describing a Local File Include (LFI) vulnerability in yappa-ng Version 2.3.2. The exploit leverages a null byte injection to include arbitrary local files via the 'album' parameter.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: yappa-ng Version 2.3.2

No auth needed

Prerequisites: Access to the vulnerable web application

MITRE ATT&CK