| VID |
21914 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Pixelpost program is vulnerable to multiple vulnerabilities which exist in versions 1.5-beta1 and earlier. Pixelpost is a photo BLOG application based on PHP and MySQL. Pixelpost versions 1.4.3 and earlier and versions 1.5-beta1 and earlier are vulnerable to multiple input-validation vulnerabilities, which could be exploited by a remote attacker to conduct SQL injection attacks and gain unauthorized access to the administration interface where the attacker could upload malicious scripts and execute arbitrary commands with the privileges of the web server. In addition, a remote attacker could also obtain system information returned by the "phpinfo()" function by accessing the "includes/phpinfo.php" script, which could aid them in further attacks.
* References:
http://forum.pixelpost.org/showthread.php?t=3535
http://www.securityfocus.com/archive/1/426764/30/0/threaded
http://www.neosecurityteam.net/index.php?action=advisories&id=19
http://www.frsirt.com/english/advisories/2006/0823
* Platforms Affected:
Pixelpost versions 1.4.3 and earlier
Pixelpost versions 1.5-beta 1 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Pixelpost (1.5 RC1 or later), available from the Pixelpost Web site at http://www.pixelpost.org/ |
| Related URL |
CVE-2006-1104,CVE-2006-1105,CVE-2006-1106 (CVE) |
| Related URL |
16964 (SecurityFocus) |
| Related URL |
25044,25046,25047,25048 (ISS) |
|
