phpWebSite Administrator Forced Command Execution

2004-08-31T00:00:00
ID OSVDB:9447
Type osvdb
Reporter James Bercegay()
Modified 2004-08-31T00:00:00

Description

Vulnerability Description

phpWebSite contains a flaw that may allow a malicious user to force an administrator to execute malicious code. The issue is triggered when a malicious user sends specially crafted code to an administrator which forces commands to be executed via POST requests instead of GET requests, bypassing some authentication checks. It is possible that the flaw may allow a remote attacker to create an adminsitrative account and/or take over the system resulting in a loss of confidentiality and/or integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, phpWebSite developers have released a patch to address this vulnerability.

Short Description

phpWebSite contains a flaw that may allow a malicious user to force an administrator to execute malicious code. The issue is triggered when a malicious user sends specially crafted code to an administrator which forces commands to be executed via POST requests instead of GET requests, bypassing some authentication checks. It is possible that the flaw may allow a remote attacker to create an adminsitrative account and/or take over the system resulting in a loss of confidentiality and/or integrity.

References:

Vendor URL: http://phpwebsite.appstate.edu/ Vendor Specific Advisory URL Security Tracker: 1011120 Related OSVDB ID: 9445 Related OSVDB ID: 9444 Related OSVDB ID: 9446 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00048-08312004 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0008.html