CVE-2009-0966

Published: Mar 19, 2009Modified: Apr 23, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

PHP remote file inclusion vulnerability in cross.php in YABSoft Mega File Hosting 1.2 allows remote attackers to execute arbitrary PHP code via a URL in the url parameter. NOTE: this can also be leveraged to include and execute arbitrary local files via .. (dot dot) sequences.

Affected (1)

Products: Yabsoft: Mega File Hosting Script

1 product

Mega File Hosting Script

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yabsoft Mega File Hosting Script	Version 1.2

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (10)

http://osvdb.org/52789

Source: cve@mitre.org

http://secunia.com/advisories/34325

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/34157

Source: cve@mitre.org

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/49302

Source: cve@mitre.org

https://www.exploit-db.com/exploits/8230

Source: cve@mitre.org

http://osvdb.org/52789

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/34325

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/34157

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/49302

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/8230

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.