PT-2010-3048 · Nodesforum · Nodesforum

Published

2010-04-12

Updated

2017-08-17

CVE-2010-1351

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Nodesforum versions 1.033 through 1.045

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This can be achieved via a URL in the nodesforum path from here to nodesforum folder parameter to erase user data.php and the nodesforum code path parameter to pre output.php.

Recommendations For versions 1.033 through 1.045, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the erase user data.php and pre output.php scripts until a fix is available. Avoid using the nodesforum path from here to nodesforum folder and nodesforum code path parameters in these scripts until the issue is resolved.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2010-1351

Affected Products

Nodesforum

PT-2010-3048 · Nodesforum · Nodesforum

CVE-2010-1351

Weakness Enumeration

Related Identifiers

Affected Products

References · 5