Invision Power Board "Task PHP File To Run" Field Traversal Local File Inclusion

2005-11-04T22:21:19
ID OSVDB:35429
Type osvdb
Reporter Anti Matter(antimatter@gmail.com)
Modified 2005-11-04T22:21:19

Description

Vulnerability Description

Invision Power Board contains a flaw that allows a remote attacker to execute arbitrary files outside of the web path. The issue is due to the 'Task PHP File to Run' field not properly sanitizing user input, specifically directory traversal style attacks (../../).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Invision Power Board contains a flaw that allows a remote attacker to execute arbitrary files outside of the web path. The issue is due to the 'Task PHP File to Run' field not properly sanitizing user input, specifically directory traversal style attacks (../../).

References:

Vendor URL: http://www.invisionboard.com/ Secunia Advisory ID:17443 Related OSVDB ID: 23337 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-11/0060.html CVE-2005-3548