Info

Disclosure

Mar 30, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

QLnews contains a flaw that may allow a malicious user to execute arbitrary code. The issue is due to the the administrator having permission to add any content to the config.php script. Once modified to contain arbitrary PHP code, an attacker can call the script directly to execute the code.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

VScripts

QLnews

1.2

References

Bugtraq ID: 17335
Secunia Advisory ID: 19479
CVE ID: 2006-1576 (see also: NVD)
Related OSVDB ID: 24290
ISS X-Force ID: 25548
Keyword: EV0113
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0230.html
Other Advisory URL: http://evuln.com/vulns/113/summary.html
Vendor URL: http://www.vscripts.pl/

Credit

Aliaksandr Hartsuyeu - alexevuln.com - eVuln

Direct URL: http://osvdb.org/24291