BID:24189

Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution Vulnerability

Info

Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution Vulnerability

Bugtraq ID:	24189
Class:	Input Validation Error
CVE:	CVE-2007-2988
Remote:	Yes
Local:	No
Published:	May 28 2007 12:00AM
Updated:	May 07 2015 05:37PM
Credit:	BlackHawk is credited with the discovery of this vulnerability.
Vulnerable:	Inout Scripts Inout Metasearch Engine 0

Not Vulnerable:

Discussion

Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution Vulnerability

The Inout Metasearch engine is prone to an arbitrary PHP code-execution vulnerability because the application fails to properly sanitize user-supplied input.

This may help the attacker compromise the application and the underlying system; other attacks are also possible.

Exploit / POC

Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution Vulnerability

Attackers can use a browser to exploit this issue.

Sample exploit code has been provided:

/data/vulnerabilities/exploits/24189.php

Solution / Fix

Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References

Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution Vulnerability

References:

Inout Scripts Homepage (Inout Scripts)
Inout Meta Searh engine Remote Code Execution (BlackHawk )