|
|
Family: CGI abuses --> Category: attack
phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for multiple vulnerabilities in phpAdsNew / phpPgAds < 2.0.6
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP application that is affected by
multiple vulnerabilities.
Description :
The remote host is running phpAdsNew / phpPgAds, an open-source banner
ad server.
The version of phpAdsNews / phpPgAds installed on the remote host
suffers from several flaws :
- Remote PHP Code Injection Vulnerability
The XML-RPC library bundled with the application allows
a possible hacker to inject arbitrary PHP code via the
'adxmlrpc.php' script to be executed within the context
of the affected web server user id.
- Multiple Local File Include Vulnerabilities
The application fails to sanitize user-supplied input to
the 'layerstyle' parameter of the 'adlayer.php' script and
the 'language' parameter of the 'admin/js-form.php' script
before using them to include PHP files for execution. An
attacker can exploit these issues to read arbitrary local
files provided PHP's 'magic_quotes' directive is disabled.
- SQL Injection Vulnerability
A possible hacker can manipulate SQL queries via input to the
'clientid' parameter of the 'libraries/lib-view-direct.inc.php'
script.
See also :
http://www.hardened-php.net/advisory_152005.67.html
http://www.securityfocus.com/archive/1/408423/30/120/threaded
Solution :
Upgrade to phpAdsNew / phpPgAds 2.0.6 or later.
Threat Level:
High / CVSS Base Score : 7
(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
