PT-2009-5932 · Efront · Efront

Cr4Wl3R

Published

2009-10-11

Updated

2017-09-19

CVE-2009-3660

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Efront versions 3.5.4 and earlier

Description A remote file inclusion issue exists in the libraries/database.php file of Efront, allowing remote attackers to execute arbitrary PHP code via a URL in the path parameter when register globals is enabled. This issue is only present when the administrator does not follow the product's security documentation recommendations.

Recommendations For Efront versions 3.5.4 and earlier, ensure that register globals is disabled to prevent exploitation of this issue. As a temporary workaround, consider restricting access to the libraries/database.php file until a fix is available.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2009-3660

Affected Products

Efront

PT-2009-5932 · Efront · Efront

CVE-2009-3660

Weakness Enumeration

Related Identifiers

Affected Products

References · 6