CVE-2008-3365

2008-07-30 19:41:00 2018-10-11 22:48:06

Directory traversal vulnerability in index.php in Pixelpost 1.7.1 on Windows, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language_full parameter.

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Pixelpost Pixelpost 1.7.1 (not an official CPE)

Pixelpost - Pixelpost

Advisory	Patch	Confirmed	Link
			pixelpost-languagefull-file-include(44031)
			6150
			30397
			ADV-2008-2207
			http://www.pixelpost.org/blog/2008/07/27/pixelpost-171-s...
			20080728 [DSECRG-08-033] Local File Include Vulnerabilit...
			4062

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (ID 22)

Related CAPEC 7 Relative Path Traversal (CAPEC-ID 139) Directory Traversal (CAPEC-ID 213) File System Function Injection, Content Based (CAPEC-ID 23) Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64) Manipulating Input to File System Calls (CAPEC-ID 76) Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78) Using Slashes in Alternate Encoding (CAPEC-ID 79)