Canais
| Vulnerabilidade no PHPCode Cabinet |
 |
 |
- Categoria: Alertas
- sexta, 22 setembro 2006 15:43
Fonte: http://xforce.iss.net/xforce/xfdb/28238
phpCodeCabinet could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the include/Beautifier/Core.php script using the "BEAUT_PATH" parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.
Description
phpCodeCabinet could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the include/Beautifier/Core.php script using the "BEAUT_PATH" parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.
Platforms Affected:
* Apple Computer, Inc.: Mac OS X Any version
* Brad Fears: phpCodeCabinet 0.5 and earlier
* Data General: DG/UX Any version
* Hewlett-Packard Company: HP-UX Any version
* Hewlett-Packard Company: Tru64 UNIX Any version
* IBM: AIX Any version
* IBM: OS/2 Any version
* Linux: Linux Any version
* Microsoft Corporation: Windows 95
* Microsoft Corporation: Windows 98
* Microsoft Corporation: Windows 98 Second Edition
* Microsoft Corporation: Windows Me
* Microsoft Corporation: Windows XP
* Microsoft Corporation: Windows 2000 Any version
* Microsoft Corporation: Windows 2003 Any version
* Microsoft Corporation: Windows NT 4.0
* Santa Cruz Operation, Inc.: SCO Unix Any version
* SGI: IRIX Any version
* Sun Microsystems, Inc.: Solaris Any version
* Wind River Systems, Inc.: BSD Any version
References
* FrSIRT/ADV-2006-3168, phpCodeCabinet BEAUT_PATH Parameter Handling Remote File Inclusion Vulnerability at http://www.frsirt.com/english/advisories/2006/3168.
* Full-Disclosure Mailing List, Sat Aug 5 00:22:12 BST 2006 , PHPCodeCabinet Vulnerability at http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048519.html.
Missão
O CERT.PT tem como missão contribuir para o esforço de cibersegurança nacional nomeadamente no tratamento e coordenação da resposta a incidentes, na produção de alertas e recomendações de segurança e na promoção de uma cultura de segurança em Portugal.
Contactos
Av. do Brasil 101
1700-066 Lisboa
Portugal
Tel: +351 218440177 (9h30-12h30, 14h00-17h30; GMT)
Fax: +351 218472167
email:
pgp: 342A 17BA DF71 E193 6871 0357 8BDE A247 C523 AAE7
Filiação
