|
|
Info |
Last Modified |
| 5 months ago |
|
|
|
|
Description |
ISPConfig has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the server.inc.php, app.inc.php, login.php and trylogin.php scripts not properly sanitizing user input supplied to the 'go_info' variable. The vendor has disputed this disclosure stating the researcher reviewed "the installation tarball that is not identical with the resulting system after installtion. The file, where the $go_info array is declared that resulted in your errors is created by the installer. ISPCOnfig is not a web application that is run in a normal PHP capable webspace, ISPConfig comes with its own apache webserver and PHP specially compiled and configured for the needs of ISPConfig that prevents the attacks you described."
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Unavailable
OSVDB:
Web Related,
Myth/Fake
|
|
Solution |
The vulnerability reported is incorrect. No solution required.
|
|
Products |
|
ISPConfig
 |
2.2.3 |
|
|
|
|
|
Credit |
- Federico Fazzi - federico
 autistici.org -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
