pPIM Multiple Remote Vulnerabilities
BID:30627
Info
pPIM Multiple Remote Vulnerabilities
| Bugtraq ID: | 30627 |
| Class: | Unknown |
| CVE: |
CVE-2008-4427 CVE-2008-4428 CVE-2008-4425 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 10 2008 12:00AM |
| Updated: | Jul 06 2016 02:17PM |
| Credit: | Stack, h0yt3r |
| Vulnerable: |
Phlatline pPIM 1.0 |
| Not Vulnerable: | |
Discussion
pPIM Multiple Remote Vulnerabilities
pPIM is prone to multiple vulnerabilities, including two security-bypass issues, a cross-site scripting issue, and a file-upload issue.
Attackers can exploit these issues to:
- execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- steal cookie-based authentication credentials
- delete local files within the context of the webserver process
- upload arbitrary PHP scripts and execute them in the context of the webserver
- change user passwords
These issues affect pPIM 1.0 and prior versions.
pPIM is prone to multiple vulnerabilities, including two security-bypass issues, a cross-site scripting issue, and a file-upload issue.
Attackers can exploit these issues to:
- execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site
- steal cookie-based authentication credentials
- delete local files within the context of the webserver process
- upload arbitrary PHP scripts and execute them in the context of the webserver
- change user passwords
These issues affect pPIM 1.0 and prior versions.
Exploit / POC
pPIM Multiple Remote Vulnerabilities
An attacker can exploit these issues via a browser.
The following example URIs are available:
http://www.example.com/upload.php?mode=delfile&file=FileName
http://www.example.com/events.php?mode=new&date="><script>alert('XSS')</script>
An attacker can exploit these issues via a browser.
The following example URIs are available:
http://www.example.com/upload.php?mode=delfile&file=FileName
http://www.example.com/events.php?mode=new&date="><script>alert('XSS')</script>
Solution / Fix
pPIM Multiple Remote Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
pPIM Multiple Remote Vulnerabilities
References:
References:
- pPIM Homepage (Phlatline)
- pPIM Multiple Vulnerabilities (Justin C. Klein Keane