Plume CMS prepend.php _PX_config[manager_path] Variable Remote File Inclusion

2006-02-15T06:32:38
ID OSVDB:23204
Type osvdb
Reporter unitedbr()
Modified 2006-02-15T06:32:38

Description

Vulnerability Description

Plume CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to prepend.php not properly sanitizing user input supplied to the "_PF_CONFIG['manager_path']" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. At the time of this writing, versions 1.1 and 1.1.1 of Plume CMS are available; it is not known if those versions have the same flaw.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Plume CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to prepend.php not properly sanitizing user input supplied to the "_PF_CONFIG['manager_path']" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

References:

Vendor URL: http://www.plume-cms.net/ Vendor URL: http://plume-cms.net/ Security Tracker: 1015624 Secunia Advisory ID:18883 Secunia Advisory ID:20310 Packet Storm: http://packetstormsecurity.org/0608-exploits/plume-1.0.6.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0568.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0291.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0297.html FrSIRT Advisory: ADV-2006-0599 FrSIRT Advisory: ADV-2006-2014 CVE-2006-0725 CVE-2006-2645 Bugtraq ID: 16662