| VID |
21665 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The FlatNuke program is vulnerable to an arbitrary PHP code execution vulnerability via the firma parameter. FlatNuke is a CMS (Content Management System) written in PHP that is based entirely on plain text files rather than a database. FlatNuke version 2.5.5 and earlier versions are vulnerable to multiple vulnerabilities, which can be exploited by a remote attacker to conduct cross-site scripting attacks, script insertion attacks, or compromise a vulnerable system.
1) Multiple Cross-Site Scripting Vulnerabilities: Input passed to the "bodycolor", "backimage", "theme", and "logo" parameters in "structure.php" script isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. Successful exploitation requires that register_globals is enabled.
2) Script Insertion Vulnerability: Posted news articles are not properly sanitized before being displayed to site administrators. This can be exploited to execute arbitrary script code in the site administrator's browser session in context of an affected site when a malicious news posting is viewed.
3) Arbitrary PHP Command Execution Vulnerability: Input passed to the "firma" parameter isn't properly sanitized when the user's signature is being saved to the user file (with php extension). This can be exploited to inject and execute arbitrary PHP commands.
* References:
http://secunia.com/advisories/16330/
http://rgod.altervista.org/flatnuke.html
* Platforms Affected:
FlatNuke SourceForge Project, FlatNuke version 2.5.5 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of August 2005.
Upgrade to the latest version of FlatNuke (2.5.6 or later), when new fixed version becomes available from the SourceForge.net Web site at http://prdownloads.sourceforge.net/flatnuke/ |
| Related URL |
CVE-2005-2539,CVE-2005-2540 (CVE) |
| Related URL |
14483,14485 (SecurityFocus) |
| Related URL |
21707,21708,21709 (ISS) |
|
