Summary
Quicksilver Forums is prone to a local file-include vulnerability and an arbitrary-file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information. By exploiting the arbitrary-file- upload and local file-include vulnerabilities at the same time, the attacker may be able to execute remote code.
Quicksilver Forums 1.4.2 is vulnerable
other versions may also be
affected. Note that these issues affect only versions running on Windows platforms.
Solution
Updates are available. Please see the references for more information.
References
Severity
Classification
-
CVE CVE-2008-7064 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities
- Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
- AIOCP 'cp_html2xhtmlbasic.php' Remote File Inclusion Vulnerability
- ActivDesk Multiple Cross Site Scripting and SQL Injection Vulnerabilities
- AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability