Vanilla-1.1.10 <= Remote File Inclusion Vulnerability

2010.04.17

Credit: eidelweiss

Risk: High

Local: No

Remote: Yes

CVE: CVE-2010-1337

CWE: CWE-94

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Vanilla could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the definitions.php script using the include or Configuration['LANGUAGE'] parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.

*CVSS:
Base Score: 	7.5
  Access Vector: 	Network
  Access Complexity: 	Low
  Authentication: 	None
  Confidentiality Impact: 	Partial
  Integrity Impact: 	Partial
  Availability Impact: 	Partial
 
Temporal Score: 	6.1
  Exploitability: 	Unproven
  Remediation Level: 	Unavailable
  Report Confidence: 	Uncorroborated

Consequences:

Gain Access

References:

http://www.packetstormsecurity.com/1003-exploits/vanilla-rfi.txt

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1337

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1337

http://osvdb.org/show/osvdb/63654

http://www.securityfocus.com/bid/38889

http://xforce.iss.net/xforce/xfdb/57147

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Vanilla-1.1.10 <= Remote File Inclusion Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.