Info

Disclosure

Mar 30, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

v-creator contains a flaw that may allow a malicious user to execute arbitrary shell commands. The issue is triggered due to an input validation error in the 'enrypt()' and 'decrypt()' functions in VCEngine.php. It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.3-pre3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

v-creator

1.3-pre2

References

Bugtraq ID: 17328
Secunia Advisory ID: 19453
CVE ID: 2006-1599 (see also: NVD)
ISS X-Force ID: 25560
VUPEN Advisory: ADV-2006-1189
Vendor Specific News/Changelog Entry: http://sourceforge.net/forum/forum.php?forum_id=557129
Vendor URL: http://www.v-creator.com/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/24304