| VID |
21827 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpATM program is vulnerable to multiple vulnerabilities which exist in version 1.30 and earlier versions. PHP Advanced Transfer Manager (phpATM) is a file upload and download manager written in PHP. PHP Advanced Transfer Manager version 1.30 and earlier versions are vulnerable to multiple information disclosure and cross-site scripting vulnerabilities.
1) Input passed to the "current_dir" and "filename" parameters in "txt.php", "htm.php", "html.php", and "zip.php" isn't properly sanitized before being used to display files. This can be exploited to disclose the content of arbitrary files via directory traversal attacks.
2) The problem is that it is possible to disclose certain PHP configuration settings by accessing the "test.php" script directly.
3) Input passed to the "font", "normalfontcolor" and "mess[31]" parameters in "txt.php" isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
In addition, phpATM version 1.30 has a default password for the administrator user (admin/test), which allows remote attackers to upload and execute arbitrary PHP files.
* References:
http://rgod.altervista.org/phpatm130.html
http://secunia.com/advisories/16867/
http://secunia.com/advisories/17134/
http://www.securitytracker.com/alerts/2005/Sep/1014930.html
* Platforms Affected:
Bugada Andrea, PHP Advanced Transfer Manager version 1.30 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of January 2006.
Upgrade to a version of PHP Advanced Transfer Manager greater than 1.30, when new fixed version becomes available from the PHP Advanced Transfer Manager Download Web page at http://phpatm.free.fr/downloads.php?lang=en
As a workaround, disable PHP's 'register_globals' setting, remove the 'test.php' script, prevent direct access to the 'users' directory, and to disallow HTML documents, edit the 'rejectedfiles' variable in the configuration file 'include/conf.php'. If the password for the username of 'admin' is set to 'test', change it to a value that is difficult to guess. |
| Related URL |
CVE-2005-2997,CVE-2005-2998,CVE-2005-2999,CVE-2005-3000 (CVE) |
| Related URL |
14883,14887,15074,15237 (SecurityFocus) |
| Related URL |
22426,22457,22428,22431,22433,22434,22583 (ISS) |
|
