Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
BID:24210
Info
Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 24210 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3171 CVE-2007-3172 CVE-2007-3170 CVE-2008-0140 |
| Remote: | Yes |
| Local: | No |
| Published: | May 29 2007 12:00AM |
| Updated: | Jul 06 2016 02:39PM |
| Credit: | Michal Majchrowicz and Eugene Minaev are credited with the discovery of these vulnerabilities. |
| Vulnerable: |
UebiMiau UebiMiau 2.7.10 UebiMiau UebiMiau 2.7.9 UebiMiau UebiMiau 2.7.2 |
| Not Vulnerable: | |
Discussion
Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
Uebimiau is prone to multiple input-validation vulnerabilities, including cross-site scripting issues and an information-disclosure issue, because the application fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication credentials, to control how the site is rendered to the user, or to gain access to information that could aid in further attacks.
Uebimiau 2.7.2 and 2.7.10 are vulnerable; other versions may also be affected.
Uebimiau is prone to multiple input-validation vulnerabilities, including cross-site scripting issues and an information-disclosure issue, because the application fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication credentials, to control how the site is rendered to the user, or to gain access to information that could aid in further attacks.
Uebimiau 2.7.2 and 2.7.10 are vulnerable; other versions may also be affected.
Exploit / POC
Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
An attacker can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, the attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URIs are available:
http://www.example.com/error.php?f_pass=blackybr&sess[auth]=1&selected_theme=../ksuri.php%00
An attacker can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, the attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URIs are available:
http://www.example.com/error.php?f_pass=blackybr&sess[auth]=1&selected_theme=../ksuri.php%00
Solution / Fix
Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
References:
References:
- UebiMiau Homepage (UebiMiau)