| VID |
210110 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Joomla! program is vulnerable to a remote file include vulnerability via the 'cpage' parameter. Joomla! is an open-source contents management system written in PHP. Custom Pages is a third-party module for Joomla!. Custom Pages component version 1.1 and earlier versions are vulnerable to a remote file include vulnerability, caused by input validation errors in the 'custompages.php' script when processing the 'cpage' parameter. By sending a specially-crafted URL request to the 'index.php' script using the 'cpage' parameter, regardless of PHP's 'register_globals' setting, a remote attacker could exploit this vulnerability to execute arbitrary PHP code with the privileges of the web server.
* References:
http://www.milw0rm.com/exploits/5294
http://secunia.com/advisories/29520
* Platforms Affected:
Simple Rapid Addon Dev, Custompages component for Joomla! version 1.1 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to a fixed version of Custompages component, when new fixed version becomes available from the Joomla! Extensions Directory Web site at http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1125/Itemid,35/ |
| Related URL |
CVE-2008-1505 (CVE) |
| Related URL |
28409 (SecurityFocus) |
| Related URL |
41396 (ISS) |
|
