Family: CGI abuses --> Category: attack
Limbo CMS Multiple Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for multiple vulnerabilities in Limbo
Detailed Explanation for this Vulnerability Test
The remote web server contains a PHP application that is affected by
The remote host is running Limbo CMS, a content-management system
written in PHP.
The remote version of this software is vulnerable to several flaws
- If register_globals is off and Limbo is configured to use a MySQL
backend, then an SQL injection is possible due to improper
sanitization of the '_SERVER[REMOTE_ADDR]' parameter.
- The installation path is revealed when the 'doc.inc.php',
'element.inc.php', and 'node.inc.php' files are reqeusted when
PHP's 'display_errors' setting is enabled.
- An XSS attack is possible when the Stats module is used due to
improper sanitization of the '_SERVER[REMOTE_ADDR]' parameter.
- Arbitrary PHP files can be retrieved via the 'index2.php' script
due to improper sanitation of the 'option' parameter.
- A possible hacker can run arbitrary system commands on the remote
system via a combination of the SQL injection and directory
See also :
Apply the patch http://www.limbo-cms.com/downs/patch_1_0_4_2.zip
High / CVSS Base Score : 7
Click HERE for more information and discussions on this network vulnerability scan.