| Title | 123Solar 1.8.4.5 File Inclusion |
|---|
| Description | Version x.x.x.x of 123Solar is affected by a Local File Inclusion (LFI) vulnerability. Attackers can manipulate the PROTOCOLx parameter to include arbitrary PHP files from unintended directories, potentially leading to remote code execution (RCE).
The impact of this vulnerability is primarily the ability to include and execute PHP files on the server. Possible attack scenarios include:
An attacker uploads a PHP file to another system and obtains its absolute path but cannot directly access it. The attacker can then execute the PHP file through this vulnerability.
A PHP code injection vulnerability is discovered, but the configuration file cannot be directly accessed. The attacker can execute the PHP code through this vulnerability. |
|---|
| Source | ⚠️ https://github.com/jeanmarc77/123solar/issues/75 |
|---|
| User | hejiasheng (UID 74892) |
|---|
| Submission | 09/14/2024 09:08 (2 years ago) |
|---|
| Moderation | 09/27/2024 07:10 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 278657 [jeanmarc77 123solar up to 1.8.4.5 /admin/admin_invt2.php PROTOCOLx file inclusion] |
|---|
| Points | 20 |
|---|