| VID |
21447 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The FlatNuke, according to its version number, has a PHP code injection vulnerability. FlatNuke is a CMS (Content Management System) written in PHP that is based entirely on plain text files rather than a database. FlatNuke versions 2.5.1 and earlier could allow a remote attacker to execute arbitrary directives or inject PHP script code on the vulnerable site, caused by a vulnerability in the forum registration code of the index.php script. A remote attacker could issue a specially-crafted value to the url_avatar field of the index.php script, which would execute arbitrary PHP commands on the affected host.
* Note: This check solely relied on the version number of the remote FlatNuke software to assess this vulnerability, so this might be a false positive.
* References:
http://www.securityfocus.com/archive/1/385922
http://www.securiteam.com/unixfocus/5MP0515EKO.html
* Platforms Affected:
FlatNuke SourceForge Project, FlatNuke 2.5.1 versions 2.5.1 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of FlatNuke (2.5.2 or later), available from the SourceForge.net Web site at http://prdownloads.sourceforge.net/flatnuke/ |
| Related URL |
CVE-2005-0267 (CVE) |
| Related URL |
12150 (SecurityFocus) |
| Related URL |
18741 (ISS) |
|
