rightscripts.com Extract Website Script Local File Inclusion Vulnerability

There is a Local File Inclusion (LFI) vulnerability in rightscripts.com Extract Website Script which may allow an attacker to take control of the web-server.

Software

Software Link: rightscripts.com Extract Website Script

Vulnerable Version: <= Latest as at 2010-12-20

Vendor Notification:

# 2010-12-20 # Leakey.Y@gmail.com

# 2010-12-27 # No reply from vendor # Advisory released

Vulnerabilities

# Information Disclosure # Full Path Disclosure # Un-patched

# Local File Inclusion # Un-patched

# Open Proxy # Un-patched

It's possible to pivot inside the internal network by using internal IPs and hostnames :

Reference

# OWASP: Cross-Site Scripting

# OWASP: Local File Inclusion (LFI)

# OWASP: Full Path Disclosure

# OWASP: Information Leakage

Appendix

[TXT] rightscripts.com Extract Website Script Local File Inclusion Vulnerability