CVE-2005-3820

Sažetak

Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file.

Reference

http://marc.info/?l=full-disclosure&m=113290708121951&w=2
http://secunia.com/advisories/17693
http://securitytracker.com/id?1015271
http://securitytracker.com/id?1015274
http://www.hardened-php.net/advisory_232005.105.html
http://www.securityfocus.com/archive/1/417711/30/0/threaded
http://www.securityfocus.com/archive/1/417730/30/0/threaded
http://www.securityfocus.com/bid/15562
http://www.securityfocus.com/bid/15569
http://www.vupen.com/english/advisories/2005/2569

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Zadnje važnije ažuriranje

19-10-2018 - 15:39

Objavljeno

26-11-2005 - 02:03