PT-2009-5784 · Loggix · Loggix Project
Cr4Wl3R
·
Published
2009-09-30
·
Updated
2017-09-19
·
CVE-2009-3492
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Loggix Project versions 9.4.5 and earlier
Description
The issue allows remote attackers to execute arbitrary PHP code via a URL in the
pathToIndex parameter to several PHP files, including (1) Calendar.php, (2) Comment.php, (3) Rss.php, and (4) Trackback.php in lib/Loggix/Module/, as well as (5) modules/downloads/lib/LM Downloads.php.Recommendations
For Loggix Project versions 9.4.5 and earlier, consider restricting access to the vulnerable PHP files until a patch is available.
As a temporary workaround, avoid using the
pathToIndex parameter in the affected API endpoints until the issue is resolved.
Restrict access to the lib/Loggix/Module/ directory and modules/downloads/lib/LM Downloads.php to minimize the risk of exploitation.Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Loggix Project