Flatnux Multiple Security Vulnerabilities

Bugtraq ID:	52846
Class:	Input Validation Error
CVE:	CVE-2012-4877 CVE-2012-4878 CVE-2012-4890
Remote:	Yes
Local:	No
Published:	Apr 01 2012 12:00AM
Updated:	Mar 19 2015 07:35AM
Credit:	Vulnerability Laboratory
Vulnerable:	Flatnux Fncommerce 2010-12-17-no-sample Flatnux Fncommerce 2010-12-17-no-sample Flatnux Fncommerce 2010-12-17-no-db Flatnux Fncommerce 2010-08-09-with-samp Flatnux Fncommerce 2010-08-09-no-sample Flatnux Fncommerce 2010-08-09-no-db Flatnux Flatnux 2011-minimal-2012-01 Flatnux Flatnux 2011-2012-01.03.3 Flatnux Flatnux 2011-08.09.2
Not Vulnerable:

Flatnux Multiple Security Vulnerabilities

Flatnux is prone to multiple security vulnerabilities:

1. An HTML-injection vulnerability
2. A cross-site request-forgery vulnerability
3. A directory-traversal vulnerability

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, obtain sensitive information, or control how the site is rendered to the user. Other attacks are also possible.

The following versions are vulnerable:

Flatnux 2011-08.09.2
Flatnux 2011-2012-01.03.3
Flatnux 2011-minimal-2012-01.03.3
Fncommerce 2010-08-09-no-db
Fncommerce 2010-08-09-no-sample-data
Fncommerce 2010-08-09-with-sample-data
Fncommerce 2010-12-17-no-db
Fncommerce 2010-12-17-no-sample-data
Fncommerce 2010-12-17-with-sample-data

Flatnux Multiple Security Vulnerabilities

An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI. The attacker can exploit these issues with a browser.

The following example data is available:

• /data/vulnerabilities/exploits/52846.txt

Flatnux Multiple Security Vulnerabilities

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Flatnux Multiple Security Vulnerabilities

References:

• FlatNux - Homepage (FlatNux)
  
• Flatnux CMS 2011 08.09.2 - Multiple Web Vulnerabilities (Vulnerability Laboratory)