|
Family: CGI abuses --> Category: attack
Plume CMS <= 1.0.2 Remote File Inclusion Vulnerability Vulnerability Scan
Vulnerability Scan Summary Check if Plume CMS is vulnerable to a file inclusion flaw
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote host is running a PHP application that is prone
to local and remote file inclusion attacks.
Description :
The system is running Plume CMS a simple but powerful
content management system.
The version installed does not sanitize user input in the
'_PX_config[manager_path]' parameter in the 'prepend.php' file.
This allows a possible hacker to include arbitrary files and execute code
on the system.
This flaw is exploitable if PHP's register_globals is enabled.
See also :
http://www.plume-cms.net/news/77-Security-Notice-Please-Update-Your-Prependphp-File
http://secunia.com/advisories/18883/
Solution :
Either sanitize the prepend.php
file as advised by the developer (see first URL) or
upgrade to Plume CMS version 1.0.3 or later
Threat Level:
High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|