BID:23921

H-Sphere SiteStudio Template Parameter Local File Include Vulnerability

Info

H-Sphere SiteStudio Template Parameter Local File Include Vulnerability

Bugtraq ID:	23921
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	May 10 2007 12:00AM
Updated:	May 11 2007 04:39PM
Credit:	The vendor reported this issue.
Vulnerable:	Positive Software H-Sphere SiteStudio 3.0 Positive Software H-Sphere SiteStudio 2.5

Not Vulnerable:

Discussion

H-Sphere SiteStudio Template Parameter Local File Include Vulnerability

H-Sphere SiteStudio is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

H-Sphere SiteStudio 3.0 and prior versions are vulnerable to this issue.

Exploit / POC

H-Sphere SiteStudio Template Parameter Local File Include Vulnerability

Attackers can use a browser to exploit this issue.

Solution / Fix

H-Sphere SiteStudio Template Parameter Local File Include Vulnerability

Solution:
The vendor released a patch to address this issue. Please see the references for more information.

Positive Software H-Sphere SiteStudio 3.0

Positive Software Version 3.0 Patch 1
http://www.psoft.net/shiv/HS/releases/U30.0/U30.0P1/U30.0P1

Positive Software H-Sphere SiteStudio 2.5

Positive Software Version 2.5 Patch 10
http://www.psoft.net/shiv/HS/releases/U25.0/U25.0P10/U25.0P10

References

H-Sphere SiteStudio Template Parameter Local File Include Vulnerability

References:

H-Sphere SiteStudio Security Patch (Positive Software)
Positive Software Homepage (Positive Software)