Summary
This host is running Open Business Management and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow the attacker to cause SQL injection attack, gain sensitive information and execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site.
Impact Level: Application
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
Multiple vulnerabilities due to,
- Improper access restrictions to the 'test.php' script allowing attackers to obtain configuration information via a direct request to test.php, which calls the phpinfo function.
- Input passed via the 'sel_domain_id' and 'action' parameters to 'obm.php' is not properly sanitised before being used in SQL queries.
- Input passed via the 'tf_user' parameter to group/group_index.php and 'tf_name', 'tf_delegation', and 'tf_ip' parameters to host/host_index.php is not properly sanitised before being used in SQL queries.
- Input passed to the 'tf_name', 'tf_delegation', and 'tf_ip' parameters in index.php, 'login' parameter in obm.php, and 'tf_user' parameter in group/group_index.php is not properly sanitised before being returned to the user.
Affected
Open Business Management (OBM) 2.4.0-rc13 and prior
References
Severity
Classification
-
CVE CVE-2011-5141, CVE-2011-5142, CVE-2011-5143, CVE-2011-5144, CVE-2011-5145 -
CVSS Base Score: 6.0
AV:N/AC:M/Au:S/C:P/I:P/A:P
Related Vulnerabilities
- Ecava IntegraXor Directory Traversal Vulnerability
- IBM WebSphere Application Server WS-Security XML Encryption Weakness Vulnerability
- Apache Traffic Server HTTP TRACE Request Remote DoS Vulnerability
- Codebrws.asp Source Disclosure Vulnerability
- Acritum Femitter Server URI Directory Traversal Vulnerability