| VID |
21237 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Zeroboard _head.php allows remote attackers to execute arbitrary commands.
Zeroboard is a PHP web board package available for the Linux and Unix platforms. Zeroboard is one of popular PHP web boards in Korea.
Under some circumstances, it may be possible to include arbitrary PHP files. The _head.php file does not sufficiently check or sanitize input. When the "allow_url_fopen" variable and the "register_globals" variable in php.ini are set to "On," it is possible to load a PHP include file from a remote URL via the _head.php script.
* References:
http://www.securityfocus.com/archive/1/277126
* Platforms Affected:
Zeroboard 4.0 ~ 4.1 pl2
UNIX/Linux Any version |
| Recommendation |
As a workaround, Set 'allow_url_fopen = off' and 'register_globals = off' in php.ini file. |
| Related URL |
CVE-2002-1704 (CVE) |
| Related URL |
5028 (SecurityFocus) |
| Related URL |
(ISS) |
|
