Summary
This host is installed with Status2K and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attacker to execute arbitrary HTML and script code, manipulate SQL queries in the backend database, and disclose certain sensitive information.
Impact Level: Application
Solution
No solution or patch is available as of 9th February, 2015. Information regarding this issue will be updated once the solution details are available.
or updates refer to http://status2k.com
Insight
Multiple flaws are due to input sanitization error, - 'Username' parameter the the login.php script.
- 'log' GET parameter to the /s2kdir/admin/options/logs.php script.
- 'Location' paramter to the addlog.php script.
- 'multies' parameter to the /s2k/includes/functions.php script.
- 'templates' parameter to the /admin/options/editpl.php script.
- Failing to remove the /install/ installation directory after the program has been installed.
- Failed to block phpinfo action on the index.php page.
Affected
Status2K
Detection
Send a crafted exploit string via HTTP GET request and check whether it is possible to read cookie or not.
References
Severity
Classification
-
CVE CVE-2014-5088, CVE-2014-5089, CVE-2014-5090, CVE-2014-5091, CVE-2014-5092, CVE-2014-5093, CVE-2014-5094 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities