|
Family: CGI abuses --> Category: attack
Plogger config Parameter Remote File Include Vulnerability Vulnerability Scan
Vulnerability Scan Summary Checks for config parameter remote file include vulnerability in Plogger
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP application that is prone to a
remote file inclusion vulnerability.
Description :
The remote host appears to be running Plogger, an open-source photo
gallery written in PHP.
The version of Plogger installed on the remote host fails to sanitize
user-supplied input to the 'config[basedir]' parameter of the
'admin/plog-admin-functions.php' script before using it in a PHP
'require_once' function. Provided PHP's 'register_globals' setting is
enabled, an unauthenticated attacker may be able to exploit this flaw
to read arbitrary files on the remote host and or run arbitrary code,
possibly taken from third-party hosts, subject to the rights of
the web server user id.
See also :
http://www.plogger.org/two-point-one/
Solution :
Upgrade to Plogger 2.1 or later.
Threat Level:
High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|