Help Center Live skin.php Arbitrary Command Execution

2004-12-24T17:02:16
ID OSVDB:12631
Type osvdb
Reporter James Bercegay()
Modified 2004-12-24T17:02:16

Description

Vulnerability Description

Help Center Live contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to skin.php not properly sanitizing user input. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Help Center Live contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to skin.php not properly sanitizing user input. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

References:

Vendor URL: http://www.helpcenterlive.com/ Security Tracker: 1012685 Secunia Advisory ID:13652 Related OSVDB ID: 12598 Related OSVDB ID: 12597 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00058-12242004 Keyword: Remote File Inclusion CVE-2004-2601