PT-2010-1602 · Bandsite · Bandsite Cms

Sirgod

Published

2010-04-22

Updated

2017-09-19

CVE-2009-4793

CVSS v2.0

6.0

Medium

Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions BandSite CMS version 1.1.4

Description The issue allows remote authenticated administrators to execute arbitrary PHP code by uploading a file with an executable extension via an "addphotos" action to "adminpanel/index.php", and then accessing the file via a direct request with an "images/gallery/" directory name.

Recommendations For BandSite CMS version 1.1.4, consider restricting access to the "adminpanel/scripts/addphotos.php" script to prevent unauthorized file uploads until a patch is available. As a temporary workaround, restrict the ability to upload files with executable extensions in the "addphotos" action to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2009-4793

Affected Products

Bandsite Cms

PT-2010-1602 · Bandsite · Bandsite Cms

CVE-2009-4793

Weakness Enumeration

Related Identifiers

Affected Products

References · 4