Info

Disclosure

Oct 19, 2012

Discovery

Unknown

Dates

Exploit

Oct 19, 2012

Solution

Unknown

Description

CMSQLite contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the admin/mediaAdmin.php script not properly sanitizing user-supplied input to the 'd' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Authentication Required, Web Related

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

CMSQLite-Team

CMSQlite

1.3.2

References

Exploit Database: 22099
ISS X-Force ID: 79488
Related OSVDB ID: 86787 86788
Vendor URL: http://www.cmsqlite.net/
Other Advisory URL: http://www.vulnerability-lab.com/get_content.php?id=726

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/86786