Info

Disclosure

Feb 03, 2004

Discovery

Unknown

Dates

Exploit

Feb 03, 2004

Solution

Unknown

Description

Les Commentaires contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'admin.php' not properly sanitizing user input supplied to the 'rep' variable. This may allow a remote attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version Les Commentaires 2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Laurent Adda

Les Commentaires

2.0

References

Secunia Advisory ID: 10768
ISS X-Force ID: 15010
Related OSVDB ID: 15990 3797
CVE ID: 2004-0246 (see also: NVD)
Bugtraq ID: 9536
Vendor Specific Solution URL: http://www.phpscripts-fr.net/scripts/download.php?id=321

Credit

Himeur Nourredine - lostnoobssecurity-challenge.com -

Direct URL: http://osvdb.org/36218