Summary
The remote web server contains a PHP script that is prone to directory traversal attacks.
Description :
The remote host is running RCBlog, a blog written in PHP.
The remote version of this software fails to sanitize user-supplied input to the 'post' parameter of the 'index.php' script. An attacker can use this to access arbitrary files on the remote host provided PHP's 'magic_quotes' setting is disabled or, regardless of that setting, files with a '.txt' extension such as those used by the application to store administrative credentials.
Solution
Remove the application as its author no longer supports it.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2006-0370, CVE-2006-0371 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apache Struts Cross Site Scripting Vulnerability
- APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability
- Apache Web Server ETag Header Information Disclosure Weakness
- Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
- Apache Tomcat SecurityConstraints Security Bypass Vulnerability