CVE-2012-1199

Name of the Vulnerable Software and Affected Versions Basic Analysis and Security Engine (BASE) version 1.4.5

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in various parameters, including the BASE path parameter to multiple PHP files, the GLOBALS[user session path] parameter to includes/base state common.inc.php, the BASE Language parameter to setup/base conf contents.php, or the ado inc php parameter to setup/setup2.php. This can be achieved by manipulating API endpoints such as base ag main.php, base db setup.php, base graph common.php, and others.

Recommendations For Basic Analysis and Security Engine (BASE) version 1.4.5, consider disabling the vulnerable parameters, such as BASE path, GLOBALS[user session path], BASE Language, and ado inc php, until a patch is available. Restrict access to the affected PHP files, including base ag main.php, base db setup.php, base graph common.php, and others, to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.