OSVDB ID: 27175

Title: Pearlinger Multiple Products adminForums.php GlobalSettings[templatesDirectory] Parameter Remote File Inclusion

Info

Disclosure

Jun 27, 2006

Discovery

Unknown

Dates

Exploit

Jun 27, 2006

Solution

Unknown

Description

Multiple Pearlinger.com products contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the includes/adminForums.php script not properly sanitizing user input supplied to the 'GlobalSettings[templatesDirectory]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Pearlinger.com	Pearl Forums	2.4
	Ngoc Biec	1.4
	Pearl For Biz	2.4
	Pearl For Mambo	1.6

References

Bugtraq ID: 18690
Exploit Database: 1956
Milw0rm: 1956
CVE ID: 2006-3340 (see also: NVD)
Secunia Advisory ID: 20819
Related OSVDB ID: 27168 27169 27170 27171 27172 27173 27174 27176 27177 27178 27179 27204
VUPEN Advisory: ADV-2006-2561
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0026.html
Vendor URL: http://pearlforums.sourceforge.net/

Credit

kw3rln - office[at]rosecuritygroup[dot]net -
zero - xzeroxlinuxmail.org - Moroccan Security Team

Direct URL: http://osvdb.org/27175

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Pearlinger.com

Pearl Forums

Ngoc Biec

Pearl For Biz

Pearl For Mambo

References

Credit