|
|
Info |
Last Modified |
| 8 months ago |
|
|
|
|
Description |
Kietu web statistics program contains a flaw that may allow a malicious user to include malicious PHP files from other locations. The issue is triggered when an attacker sends a specially-crafted URL request to the index.php script with the parameter kietu[url_hit] set to specify a malicious file. It is possible that the flaw may allow arbitrary command excution resulting in a loss of confidentiality, integrity, and/or availability.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
OSVDB:
Web Related
|
|
Technical |
When requesting a page using the parameter kietu[url_hit] and specifying a location by URL it is possible to include a PHP file from a remote location.
|
|
Solution |
Currently, there are no known upgrades or patches available to correct this issue from the vendor.
A workaround might be to disable allow_url_fopen and register_globals in PHP unless required by other scripts.
It is also possible to edit the line: require $kietu['url_hit'].'config.php';
making the PHP script contain:
if (file_exists('config.php'))
{
require 'config.php';
}
|
|
Products |
|
Kietu
 |
2.4 |
2.5 |
2.5.a |
3.0 |
3.1 |
|
|
|
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
