OSVDB ID: 17085

Title: Popper Webmail childwindow.inc.php form Parameter Remote File Inclusion

Info

Disclosure

Jun 01, 2005

Discovery

Mar 07, 2005

Dates

Exploit

Jun 01, 2005

Solution

Unknown

Description

Popper contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to childwindow.inc.php not properly sanitizing user input supplied to the form variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

J.P. Bergamin	Popper	1
		1.1x
		1.2x
		1.3x
		1.4
		1.41

References

Security Tracker: 1014116
Bugtraq ID: 13851
Secunia Advisory ID: 15584
CVE ID: 2005-1870 (see also: NVD)
ISS X-Force ID: 20875
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0022.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0026.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0039.html
Other Advisory URL: http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07
Vendor URL: http://www.ractive.ch/popper/
Keyword: LSS-2005-06-07

Credit

Leon Juranic - infocusinfigo.hr - Infigo Information Security

Direct URL: http://osvdb.org/17085

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

J.P. Bergamin

Popper

References

Credit