PT-2008-4352 · Devalcms · Devalcms

Cwh Underground

Published

2008-06-30

Updated

2017-09-29

CVE-2008-2913

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Devalcms version 1.4a

Description A directory traversal issue exists due to the lack of proper input validation in the func.php file when magic quotes gpc is disabled. This allows remote attackers to include and execute arbitrary local files by manipulating the currentpath parameter with a .. (dot dot) sequence, in combination with specific ... (triple dot) and ..... sequences in the currentfile parameter, to index.php.

Recommendations For Devalcms version 1.4a, consider disabling the execution of external files through the func.php file until a proper patch is available, and ensure magic quotes gpc is enabled to mitigate the risk of directory traversal attacks.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2008-2913

Affected Products

Devalcms

PT-2008-4352 · Devalcms · Devalcms

CVE-2008-2913

Weakness Enumeration

Related Identifiers

Affected Products

References · 5