PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities
BID:58432
Info
PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities
| Bugtraq ID: | 58432 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 11 2013 12:00AM |
| Updated: | Mar 11 2013 12:00AM |
| Credit: | KedAns-Dz |
| Vulnerable: |
PHPBoost PHPBoost 4.0 |
| Not Vulnerable: | |
Discussion
PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities
PHPBoost is prone to an information disclosure vulnerability and an arbitrary file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit these issues to upload arbitrary files in the context of the web server process or gain access to sensitive information that may aid in further attacks.
PHPBoost 4.0 is vulnerable; other versions may also be affected.
PHPBoost is prone to an information disclosure vulnerability and an arbitrary file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit these issues to upload arbitrary files in the context of the web server process or gain access to sensitive information that may aid in further attacks.
PHPBoost 4.0 is vulnerable; other versions may also be affected.
Exploit / POC
PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities
Attackers can exploit these issues using a browser.
The following example URI is available:
http://www.example.com/phpboost/user/?url=/../../KedAns
Attackers can exploit these issues using a browser.
The following example URI is available:
http://www.example.com/phpboost/user/?url=/../../KedAns
Solution / Fix
PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities
References:
References:
- PHPBoost Homepage (PHPBoost)