Internet Photoshow index.php page Variable Remote File Inclusion

2006-04-18T07:17:35
ID OSVDB:24743
Type osvdb
Reporter Hessam-x()
Modified 2006-04-18T07:17:35

Description

Vulnerability Description

Internet Photoshow contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php not properly sanitizing user input supplied to the 'page' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Internet Photoshow contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php not properly sanitizing user input supplied to the 'page' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

References:

Vendor URL: http://www.thomas-voecking.de/thomas/index.php?content=photoshow Secunia Advisory ID:19726 ISS X-Force ID: 25937 Generic Exploit URL: http://milw0rm.com/exploits/1694 FrSIRT Advisory: ADV-2006-1417 CVE-2006-1919 Bugtraq ID: 17620