BLOG:CMS, Nucleus, and PunBB file include
| blog-nucleus-punbb-file-include (16744) |  Medium Risk |
Description:
BLOG:CMS could allow a remote attacker to gain unauthorized access to the system, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to include arbitrary files on the system from a local or remote system, if the register_globals option is enabled.
Platforms Affected:
- Nucleus Group, Nucleus CMS prior to 3.0.1
- PHP, BLOG CMS 3.0
- PHP, BLOG CMS 3.1
- PHP, BLOG CMS 3.1.2
- PHP, BLOG CMS 3.1.3
- PunBB, PunBB prior to 1.1.5
Remedy:
For BLOG:CMS, upgrade to the latest version (3.1.4 or later), available from the BLOG:CMS Web site. See References.
For PunBB, upgrade to the latest version (1.1.5 or later), available from the PunBB Web site. See References.
For Nucleus, upgrade to the latest version (3.0.1 or later), available from the Nucleus CMS Web site. See References.
Consequences:
Gain Access
References:
- BLOG:CMS Newsletter no. 3/2004, BLOG:CMS 3.1.4 NEW with several updates and an important security fix has been released at http://forum.blogcms.com/viewtopic.php?id=324.
- BLOG:CMS Web site, BLOG:CMS at http://blogcms.com.
- Nucleus Web site, Nucleus CMS at http://nucleuscms.org/.
- PunBB Web site, PunBB at http://www.punbb.org/.
- BID-10760: Nucleus CMS/Blog:CMS/PunBB Common.PHP Remote File Include Vulnerability
Reported:
Jul 20, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net