OSVDB ID: 55183

Title: fuzzylime (cms) code/display.php template Parameter Local File Inclusion

Info

Disclosure

Jun 17, 2009

Discovery

Unknown

Dates

Exploit

Jun 17, 2009

Solution

Unknown

Description

fuzzylime (cms) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the code/display.php script not properly sanitizing user input supplied to the 'template' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands which will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Fuzzylime	Fuzzylime CMS	3.03
		3.03

References

CVE ID: 2009-2176 (see also: NVD)
Bugtraq ID: 35418
Secunia Advisory ID: 35489
ISS X-Force ID: 51205
Related OSVDB ID: 55182 55184
Milw0rm: 8978
Exploit Database: 8978
Vendor URL: http://cms.fuzzylime.co.uk/st/content/download/

Credit

StAkeR - StAkeRhotmail.it -

Direct URL: http://osvdb.org/55183

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Fuzzylime

Fuzzylime CMS

References

Credit