CVE-2024-49649 in Build App Online Plugininfo

Summary

by MITRE • 01/07/2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Abdul Hakeem Build App Online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through 1.0.23.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/05/2025

The CVE-2024-49649 vulnerability represents a critical PHP Remote File Inclusion flaw that enables attackers to manipulate include/require statements in the Abdul Hakeem Build App Online application. This vulnerability stems from improper validation of filename parameters used in PHP include operations, creating a pathway for remote code execution through local file inclusion attacks. The flaw exists within the application's handling of user-supplied input that directly influences file inclusion mechanisms, making it particularly dangerous for web applications that process external inputs without proper sanitization.

This vulnerability operates under the Common Weakness Enumeration CWE-98 classification, specifically targeting improper control of filename for include/require statements. The issue manifests when the application accepts user input through parameters that are subsequently used in PHP include or require functions without adequate validation or sanitization. Attackers can exploit this weakness by injecting malicious file paths or URLs that the application will attempt to include, potentially leading to arbitrary code execution on the server. The vulnerability affects all versions of Build App Online up to and including version 1.0.23, indicating a widespread exposure across the product's release history.

The operational impact of CVE-2024-49649 extends beyond simple data theft or service disruption, as it provides attackers with potential full system compromise capabilities. When exploited successfully, this vulnerability allows adversaries to execute arbitrary PHP code on the target server, potentially leading to complete system takeover. Attackers can leverage this weakness to upload backdoors, establish persistent access, or pivot to other systems within the network. The attack surface is particularly concerning given that the vulnerability affects the application's core include functionality, which is fundamental to PHP application operation and often used for modular code organization.

Security practitioners should implement immediate mitigations including input validation, parameter sanitization, and the removal of dynamic include statements that rely on user-supplied data. The recommended approach involves using allowlists for valid file parameters, implementing proper input filtering, and avoiding dynamic include operations that can be manipulated by attackers. Organizations should also consider implementing web application firewalls to detect and block suspicious include patterns. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, highlighting the need for comprehensive application security testing and regular vulnerability assessments. Additionally, the principle of least privilege should be enforced by ensuring that application files have minimal necessary permissions and that include paths are restricted to predefined safe locations.

Responsible

Patchstack

Reservation

10/17/2024

Disclosure

01/07/2025

Moderation

accepted

CPE

ready

EPSS

0.00564

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!