iSearch Multiple Script isearch_path Variable Remote File Inclusion

2006-10-07T23:43:32
ID OSVDB:30861
Type osvdb
Reporter OSVDB
Modified 2006-10-07T23:43:32

Description

Vulnerability Description

iSearch has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the index.php, viewcache.php, sitemap.php, isearch.inc.php, google_sitemap.php, stats.php and auto_spider_img.php not properly sanitizing user input supplied to the 'isearch_path' variable. However, subsequent examination indicates and attacker can not manipulate input to the variable before being processed by the script.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

iSearch has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the index.php, viewcache.php, sitemap.php, isearch.inc.php, google_sitemap.php, stats.php and auto_spider_img.php not properly sanitizing user input supplied to the 'isearch_path' variable. However, subsequent examination indicates and attacker can not manipulate input to the variable before being processed by the script.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0105.html Mail List Post: http://attrition.org/pipermail/vim/2006-October/001081.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0134.html ISS X-Force ID: 29402 CVE-2006-5232 Bugtraq ID: 20401