CRE Loaded Multiple Security Bypass Vulnerabilities Network Vulnerability

Summary

The host is running CRE Loaded and is prone to Security bypass vulnerability.

Impact

Successful exploitation will allow attacker to bypass authentication and gain administrator privileges. Impact Level: Application

Solution

Upgrade to CRE Loaded version 6.4.0 or later For updates refer to http://www.creloaded.com/

Insight

The flaws are due to - An error when handling 'PHP_SELF' variable, by includes/application_top.php and admin/includes/application_top.php. - Request, with 'login.php' or 'password_forgotten.php' appended as the 'PATH_INFO', which bypasses a check that uses 'PHP_SELF', which is not properly handled by includes/application_top.php and admin/includes/application_top.php.

Affected

CRE Loaded version before 6.4.0

References

http://hosting-4-creloaded.com/node/116
https://www.creloaded.com/fdm_file_detail.php?file_id=191

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-5076, CVE-2009-5077

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AlienVault OSSIM 'date_from' Parameter Multiple SQL Injection Vulnerabilities
Astium VoIP PBX SQL Injection Vulnerability
Apple Safari RSS Feed Information Disclosure Vulnerability
Admin Bot 'news.php' SQL Injection Vulnerability
Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability

Take action and discover your vulnerabilities