JAF CMS Multiple Remote File Include And Remote Shell Command Execution Vulnerabilities Network Vulnerability

Summary

JAF CMS is prone to an shell-command-execution vulnerability and multiple remote file-include vulnerabilities because the application fails to properly sanitize user-supplied input. An attacker can exploit the remote shell-command-execution issue to execute arbitrary shell commands in the context of the webserver process. An attacker can exploit remote file-include issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system other attacks are also possible. JAF CMS 4.0 RC2 is vulnerable other versions may also be affected.

References

http://jaf-cms.sourceforge.net/
http://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
http://www.htbridge.ch/advisory/shell_create__command_execution_in_jaf_cms.html
http://www.securityfocus.com/archive/1/514625
http://www.securityfocus.com/archive/1/514626
https://www.securityfocus.com/bid/44664

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
Atutor AContent Multiple SQL Injection and XSS Vulnerabilities
ALCASAR Remote Code Execution Vulnerability
Apache Struts ClassLoader Manipulation Vulnerabilities
ARRIS 2307 Unprotected Web Console

JAF CMS Multiple Remote File Include and Remote Shell Command Execution Vulnerabilities

Take action and discover your vulnerabilities