PT-2009-3170 · Php · Phpslash

Darkfig

Published

2009-02-11

Updated

2018-10-11

CVE-2009-0517

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions phpSlash versions 0.8.1.1 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code via the fields parameter, which is supplied to an eval() function call within the generic function in include/class/tz env.class.

Recommendations For phpSlash versions 0.8.1.1 and earlier, consider disabling the eval() function call within the generic function in include/class/tz env.class as a temporary workaround until a patch is available. Restrict access to the fields parameter in the affected API endpoint to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2009-0517

Affected Products

Phpslash

PT-2009-3170 · Php · Phpslash

CVE-2009-0517

Weakness Enumeration

Related Identifiers

Affected Products

References · 7