Summary
The remote host is running a PHP application that is prone to local and remote file inclusion attacks.
Description :
The system is running Plume CMS a simple but powerful content management system.
The version installed does not sanitize user input in the '_PX_config[manager_path]' parameter in the 'prepend.php' file.
This allows an attacker to include arbitrary files and execute code on the system.
This flaw is exploitable if PHP's register_globals is enabled.
Solution
Either sanitize the prepend.php
file as advised by the developer (see first URL) or upgrade to Plume CMS version 1.0.3 or later
References
Updated on 2017-03-28
Severity
Classification
-
CVE CVE-2006-0725 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities