|
|
Info |
Last Modified |
| 4 months ago |
|
|
|
|
Description |
Kietu web statistics program contains a flaw that may allow a malicious user to include malicious PHP files from other locations. The issue is triggered when an attacker sends a specially-crafted URL request to the hit.php script with the parameter url_hit set to specify a malicious file. It is possible that the flaw may allow arbitrary command excution resulting in a loss of confidentiality, integrity, and/or availability.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
OSVDB:
Web Related
|
|
Technical |
When requesting a page using the parameter url_hit and specifying a location by URL it is possible to include a PHP file from a remote location.
|
|
Solution |
Upgrade to version 2.4 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):
disable allow_url_fopen and register_globals in PHP unless required by other scripts.
|
|
Products |
|
Kietu
 |
2.0 |
2.1 |
2.2 |
2.2.a |
2.3 |
|
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
