|
Family: CGI abuses --> Category: attack
phpPgAdmin formLanguage Parameter Local File Include Vulnerability Vulnerability Scan
Vulnerability Scan Summary Checks for formLanguage parameter directory traversal vulnerability in phpPgAdmin
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that is affected by a
local file include vulnerability.
Description :
The remote host is running phpPgAdmin, a web-based administration tool
for PostgreSQL.
The installed version of phpPgAdmin fails to filter directory
traversal sequences from user-input supplied to the 'formLanguage'
parameter of the login form. A possible hacker can exploit this issue to
read files outside the application's document directory and to include
arbitrary PHP files from the remote host, subject to the rights of
the web server userid.
See also :
http://archives.neohapsis.com/archives/dailydave/2005-q3/0010.html
http://sourceforge.net/project/shownotes.php?release_id=342261
Solution :
Upgrade to phpPgAdmin 3.5.4 or later.
Threat Level:
Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|