PluXml version 5.1.5 and probably prior suffers from Local File Inclusion (LFI) vulnerability:
Input passed via the "default_lang" POST parameter to "update/index.php" is not properly verified before being used in "include_once()" function and can be exploited to include arbitrary local files. This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
Vulnerability ID: HTB23086
Vendor Notification / Patch / Public Disclosure Dates: 11 April / 16 April / 2 May 2012
Vulnerabilities Type: Local File Inclusion (LFI)
Risk level: High
Solution: Fixed by Vendor, Upgrade to PluXml 5.1.6
Read full information and details about this advisory: High-Tech Bridge Advisory HTB23084: Local File Inclusion in PluXml.
No comments:
Post a Comment