|
|
Family: CGI abuses --> Category: attack
Ultimate PHP Board username Parameter Arbitrary Command Execution Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Tries to run a command with Ultimate PHP Board
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that allows injection of
arbitrary PHP code.
Description :
The remote host is running Ultimate PHP Board (UPB).
The version of UPB installed on the remote host does not sanitize
input to the 'username' parameter of the 'chat/login.php' script
before writing it to 'chat/text.php'. Regardless of PHP's settings,
a possible hacker can leverage this flaw to inject arbitrary PHP code into
the second file and then retrieve that to have the code executed on
the affected host subject to the rights of the web server user id.
See also :
http://milw0rm.com/exploits/2999
Solution :
Unknown at this time.
Threat Level:
High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
