Info

Disclosure

Jun 16, 2006

Discovery

Unknown

Dates

Exploit

Jun 16, 2006

Solution

Unknown

Description

CMS Faethon contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the data/footer.php script not properly sanitizing user input supplied to the 'mainpath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.3.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Jakub Slováček	CMS Faethon	1.3.2
		1.3.3

References

Milw0rm: 1919
Exploit Database: 1919
CVE ID: 2006-3186 (see also: NVD)
Secunia Advisory ID: 20713
Related OSVDB ID: 26634 26635
Keyword: ECHO_ADV_33$2006
Other Advisory URL: http://advisories.echo.or.id/adv/adv33-K-159-2006.txt
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0349.html
Vendor URL: http://cmsfaethon.com/
Vendor Specific News/Changelog Entry: http://dev.cmsfaethon.com/tracker/?do=details&id=35
ISS X-Force ID: http://xforce.iss.net/xforce/xfdb/27329

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/26630

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Jakub Slováček

CMS Faethon

References

Credit