PHPWind Board Remote File Include Vulnerability
BID:12207
Info
PHPWind Board Remote File Include Vulnerability
| Bugtraq ID: | 12207 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 09 2005 12:00AM |
| Updated: | Jan 09 2005 12:00AM |
| Credit: | Discovery is credited to Alpha <[email protected]>. |
| Vulnerable: |
PHPWind PHPWind Board 1.3.6 |
| Not Vulnerable: |
PHPWind PHPWind Board 2.0.2 |
Discussion
PHPWind Board Remote File Include Vulnerability
A remote file include vulnerability affects PHPWind Board. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it in a PHP 'include()' function call.
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.
PHPWind Board 1.3.6 and prior versions are vulnerable to this issue.
A remote file include vulnerability affects PHPWind Board. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it in a PHP 'include()' function call.
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.
PHPWind Board 1.3.6 and prior versions are vulnerable to this issue.
Exploit / POC
PHPWind Board Remote File Include Vulnerability
An exploit is not required.
A proof of concept that grants administrator access is available:
An exploit is not required.
A proof of concept that grants administrator access is available:
Solution / Fix
PHPWind Board Remote File Include Vulnerability
Solution:
It is reported that PHPWind 2.0.2 or newer versions are not affected by this vulnerability. This information is not confirmed at the moment. Please contact the vendor for more information.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
It is reported that PHPWind 2.0.2 or newer versions are not affected by this vulnerability. This information is not confirmed at the moment. Please contact the vendor for more information.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PHPWind Board Remote File Include Vulnerability
References:
References:
- PHPWind Skin Vulnerability (Exploit) (Securiteam)
- PHPWIND1.3.6 (Alpha)