OSVDB ID: 23482

Title: ShoutLIVE savesettings.php Multiple Field Arbitrary PHP Code Execution

Info

Disclosure

Feb 24, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

ShoutLIVE contains a flaw that may allow a malicious user to execute arbitrary code on the server. The issue is triggered because the application does not verify all input supplied to the 'settings.php' script. It is possible that the flaw may allow an attacker to inject PHP code in these fields which is then executed on the server, resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Cynical Games

ShoutLIVE

1.1.0

References

Milw0rm: 1590
Exploit Database: 1590
Bugtraq ID: 16857
Secunia Advisory ID: 19047
CVE ID: 2006-0940 (see also: NVD)
Related OSVDB ID: 23483
VUPEN Advisory: ADV-2006-0755
Keyword: EV0087
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0688.html
Vendor URL: http://cynic.x10hosting.com/downloadfile.php?file=phpscripts/ShoutLIVE.zip
Other Advisory URL: http://evuln.com/vulns/87/summary.html

Credit

Aliaksandr Hartsuyeu - alexevuln.com - eVuln

Direct URL: http://osvdb.org/23482