| VID |
21453 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The GnuBoard software is vulnerable to a PHP injection vulnerability. GNUBoard is one of widely used web BBS applications in Korea. GNUBoard versions 3.39 and earlier could allow a remote attacker to execute arbitrary command on the system when the "register_globals" option is enabled, caused by a failure of the application to properly validate user-supplied input in the "doc" parameter in "index.php" script. By sending a specially-crafted request to the "index.php" script using the "doc" variable including commands, a remote attacker could execute arbitrary commands on the target system with privileges of the Web server.
* References:
http://archives.neohapsis.com/archives/bugtraq/2004-12/0169.html
http://secunia.com/advisories/13479/
* Platforms Affected:
SIR, GNUBoard 3.39 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of GNUBoard (3.40 or later), available from the GNUBoard Web site at http://www.sir.co.kr/ |
| Related URL |
CVE-2004-1403 (CVE) |
| Related URL |
11948 (SecurityFocus) |
| Related URL |
18494 (ISS) |
|
