Info

Disclosure

Jan 19, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Etomite Content Management System contains a default backdoor in the 'todo.inc.php' script. A remote attacker could exploit this vulnerability by sending a specially-crafted URL to the todo.inc.php script that uses the 'cij' parameter to pass malicious code to the popen() function, allowing the attacker to execute commands on the system. While the command output is mailed to a hardcoded email address, the commands are still executed.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 0.6.1 (beta) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Etomite.org

Etomite Content Management System

0.6

References

Secunia Advisory ID: 18556
CVE ID: 2006-0325 (see also: NVD)
ISS X-Force ID: 24254
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0497.html
http://archives.neohapsis.com/archives/bugtraq/2006-01/0505.html
Vendor URL: http://www.etomite.org/
Vendor Specific News/Changelog Entry: http://www.etomite.org/forums/index.php?showtopic=4185
Other Advisory URL: http://www.lucaercoli.it/advs/etomite.txt

Credit

Luca Ercoli - luca.eseeweb.com - http://www.seeweb.com/

Direct URL: http://osvdb.org/22693