Sympoll PHP could allow an attacker to view files on the server

sympoll-php-view-files (9723) The risk level is classified as MediumMedium Risk

Description:

Sympoll could allow a remote attacker to view arbitrary files on the Web server, caused by improper validation of PHP variable parameters. A remote attacker could send a specially-crafted URL request to the Sympoll PHP script to view files on the Web server.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of Sympoll (1.4 or later), available from the Sympoll Web page. See References.

References:

  • BugTraq Mailing List, Tue Jul 30 2002 - 15:27:48 CDT : [ADVISORY]: Arbitrary file disclosure vulnerability in Sympoll 1.2 .
  • Sympoll Web site: Change log. (The change log for Version 1.3 includes an item labeled 'IMPORTANT SECURITY FIX' and credits the individual in the BugTraq post.)
  • Sympoll Web site: sympoll.
  • BID-5360: Sympoll File Disclosure Vulnerability
  • CVE-2002-1430: Unknown vulnerability in Sympoll 1.2 allows remote attackers to read arbitrary files when register_globals is enabled, possibly by modifying certain PHP variables through URL parameters.
  • OSVDB ID: 14537: Sympoll Unspecified PHP Variable Manipulation Arbitrary File Access

Platforms Affected:

  • David Raeman Sympoll 1.2

Reported:

Jul 30, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page