Info

Disclosure

Oct 31, 2004

Discovery

Unknown

Dates

Exploit

Oct 31, 2004

Solution

Unknown

Description

Goollery contains a flaw that may allow a remote attacker to execute arbitrary commands via remote file inclusion. This flaw exists because the application does not validate the "page" variable upon submission to the viewalbum.php script. This could allow an attacker to include remote code to be executed by the target server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Upgrade to version 0.04b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Martin Wirz	Goollery	0.03
		0.04

References

Security Tracker: 1012062
Related OSVDB ID: 11318 11319
Bugtraq ID: 11587
ISS X-Force ID: 17957
CVE ID: 2004-2245 (see also: NVD)
Other Advisory URL: http://www.osvdb.org/ref/11/11xxx-goollery_multiple.txt
Vendor URL: http://www.wirzm.ch/goollery/about/about.php
Keyword: Remote File Inclusion

Credit

Lostmon Lords - Lostmongmail.com -

Direct URL: http://osvdb.org/11320

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Martin Wirz

Goollery

References

Credit