PT-2008-2022 · Auracms · Auracms+1

K1Tk4T

Published

2008-01-23

Updated

2017-09-29

CVE-2008-0390

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions AuraCMS version 1.62 Mod Block Statistik for AuraCMS

Description The issue allows remote attackers to inject arbitrary PHP code into online.db.txt via the X-Forwarded-For HTTP header in a stat action to "index.php", and then execute online.db.txt via a certain request to "index.php".

Recommendations For AuraCMS version 1.62, consider disabling the stat action to index.php until a patch is available. For Mod Block Statistik for AuraCMS, restrict access to the online.db.txt file to minimize the risk of exploitation. Avoid using the X-Forwarded-For HTTP header in the stat action to index.php until the issue is resolved.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2008-0390

Affected Products

Auracms

Mod Block Statistik

PT-2008-2022 · Auracms · Auracms+1

CVE-2008-0390

Weakness Enumeration

Related Identifiers

Affected Products

References · 4