BID:23793

Open Translation Engine Header.PHP Remote File Include Vulnerability

Info

Open Translation Engine Header.PHP Remote File Include Vulnerability

Bugtraq ID:	23793
Class:	Input Validation Error
CVE:	CVE-2007-2676
Remote:	Yes
Local:	No
Published:	May 03 2007 12:00AM
Updated:	May 07 2015 05:39PM
Credit:	GolD_M is credited with the discovery of this vulnerability.
Vulnerable:	Open Translation Engine Open Translation Engine 0.7.8

Not Vulnerable:	Open Translation Engine Open Translation Engine 0.9.2

Discussion

Open Translation Engine Header.PHP Remote File Include Vulnerability

Open Translation Engine is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Open Translation Engine versions prior to 0.9.2 are vulnerable.

Exploit / POC

Open Translation Engine Header.PHP Remote File Include Vulnerability

Attackers can use a browser to exploit this issue.

The following example demonstrates this issue:

http://www.example.com/skins/header.php?ote_home=Shell

Solution / Fix

Open Translation Engine Header.PHP Remote File Include Vulnerability

Solution:
The vendor released Open Translation Engine 0.9.2 to address this issue. Please see the references for more information.

Open Translation Engine Open Translation Engine 0.7.8

Open Translation Engine ote.zip
http://downloads.sourceforge.net/ote/ote.zip?modtime=1191093747&big_mi rror=0

References

Open Translation Engine Header.PHP Remote File Include Vulnerability

References:

Open Translation Engine Homepage (Open Translation Engine )