PT-2006-4088 · Grayscale · Grayscale Bandsite Cms
Kw3[R]Ln
·
Publicado
2006-06-23
·
Atualizado
2017-10-19
·
CVE-2006-3193
CVSS v2.0
5.1
Média
| Vetor | AV:N/AC:H/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Grayscale BandSite CMS version 1.1.1
Description
The issue allows remote attackers to execute arbitrary PHP code via a URL in the
root path parameter to multiple files, including (1) includes/content/contact content.php, and several files in adminpanel/includes/add forms/, such as (2) addbioform.php, (3) addfliersform.php, (4) addgenmerchform.php, (5) addinterviewsform.php, (6) addlinksform.php, (7) addlyricsform.php, (8) addmembioform.php, (9) addmerchform.php, (10) addmerchpicform.php, (11) addnewsform.php, (12) addphotosform.php, (13) addreleaseform.php, (14) addreleasepicform.php, (15) addrelmerchform.php, (16) addreviewsform.php, (17) addshowsform.php, (18) addwearmerchform.php, as well as (19) adminpanel/includes/mailinglist/disphtmltbl.php and (20) adminpanel/includes/mailinglist/dispxls.php. This can occur when register globals is enabled.Recommendations
For Grayscale BandSite CMS version 1.1.1, consider disabling the
root path parameter or restricting its use until a patch is available. Additionally, disabling register globals can help mitigate the risk of exploitation. As a temporary workaround, restrict access to the vulnerable files in the adminpanel/includes/add forms/ directory and the mailinglist directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Grayscale Bandsite Cms