Summary
The remote webserver is hosting a PHP script which is vulnerable to a unrestricted file upload flaw.
Description :
XHP CMS is installed on the remote system.
The installed application does not authenticate users to access the FileManager scripts located at:
'/inc/htmlarea/plugins/FileManager/manager.php'
and
'/inc/htmlarea/plugins/FileManager/standalonemanager.php'
This allows an attacker to upload content to the webserver, and execute arbitrary commands with privileges of the webserver account.
Solution
Upgrade to version 0.51 or a newer release.
References
Severity
Classification
-
CVE CVE-2006-1371 -
CVSS Base Score: 9.0
AV:N/AC:L/Au:S/C:C/I:C/A:C
Related Vulnerabilities
- Apache Tomcat AJP Protocol Security Bypass Vulnerability
- Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
- AWCM CMS Multiple Remote File Include Vulnerabilities
- Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities
- A-A-S Application Access Server Multiple Vulnerabilities