OSVDB ID: 28225

Title: phpCOIN session_set.php _CCFG[_PKG_PATH_INCL] Parameter Remote File Inclusion

Info

Disclosure

Aug 24, 2006

Discovery

Unknown

Dates

Exploit

Aug 24, 2006

Solution

Unknown

Description

phpCOIN contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to session_set.php not properly sanitizing user input supplied to the '_CCFG[_PKG_PATH_INCL]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.2.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

phpCOIN

1.2.3

References

Bugtraq ID: 19706
Secunia Advisory ID: 21624
Milw0rm: 2254
Exploit Database: 2254
Related OSVDB ID: 28218 28219 28220 28221 28222 28223 28224
ISS X-Force ID: 28572
VUPEN Advisory: ADV-2006-3385
Vendor Specific Solution URL: http://forums.phpcoin.com//index.php?showtopic=3&st=0&#entry3
Vendor URL: http://www.phpcoin.com/

Credit

Timq - timqhackernetwork.com - Securitydb.org

Direct URL: http://osvdb.org/28225