IMENDIO PLANNER REMOTE FILENAME FORMAT STRING VULNERABILITY

2006.08.11

Credit: LoneEagle

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2006-4070

CWE: CWE-Other

CVSS Base Score: 5.1/10

Impact Subscore: 6.4/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

By : LoneEagle

E-mail : king_purba (at) yahoo.co (dot) uk [email concealed]

http://kandangjamur.net

Affected :

IMENDIO PLANNER 0.13

PROJECT MANAGEMENT FEDORA 4.

Impact : System Acces

From : Remote

Severity : Moderately Critical

Description:

------------

Imendio planner was failed when opening file name format string.

Remote attacker can exploit this vulnerabilty by creating a malicious

filename that contain format string specifier. Successfull attacking can be used

for executing arbitrary code.

Solution :

----------

Don't open file from untursted source.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

IMENDIO PLANNER REMOTE FILENAME FORMAT STRING VULNERABILITY

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.