| VID |
21950 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Virtual Hosting Control System (VHCS) is vulnerable to a remote file include vulnerability in the 'sql.php' script. Virtual Hosting Control System (VHCS) is an open-source server control system for web hosting solutions and automation software. VHCS version 2.2 and possible other versions are vulnerable to a remote file include vulnerability, caused by improper validation of user-supplied input passed to the 'include_path' parameter of the '/include/sql.php' script. If the register_globals is enabled, a remote attacker could send a specially-crafted URL request to execute arbitrary PHP code and operating system commands on the affected host.
* References:
http://www.kernelpanik.org/docs/kernelpanik/vhcs22.en.txt
http://sourceforge.net/projects/vhcs/
http://secunia.com/advisories/13763/
http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=1576&forum=5
http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=1208&forum=5
* Platforms Affected:
VHCS Project, VHCS version 2.2 and possible other versions
Linux Any version |
| Recommendation |
As a workaround, disable PHP's 'register_globals' setting. |
| Related URL |
(CVE) |
| Related URL |
12178 (SecurityFocus) |
| Related URL |
18813 (ISS) |
|
