|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200605-04] phpWebSite: Local file inclusion Vulnerability Scan
Vulnerability Scan Summary phpWebSite: Local file inclusion
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200605-04
(phpWebSite: Local file inclusion)
rgod has reported that the "hub_dir" parameter in "index.php"
isn't properly verified. When "magic_quotes_gpc" is disabled, this can
be exploited to include arbitrary files from local ressources.
Impact
If "magic_quotes_gpc" is disabled, which is not the default on
Gentoo Linux, a remote attacker could exploit this issue to include and
execute PHP scripts from local ressources with the rights of the user
running the web server, or to disclose sensitive information and
potentially compromise a vulnerable system.
Workaround
There is no known workaround at this time.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1819
Solution:
All phpWebSite users should upgrade to the latest available
version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.10.2"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|