YaPiG Remote Server-Side Script Execution Vulnerability

Published: 2005-11-03 13:08:04

CVSS Base Vector:
AV:A/AC:L/Au:N/C:P/I:P/A:P

Recommendations:
Upgrade to YaPiG 0.92.2 or later.

Summary:
The remote version of YaPiG may allow a remote attacker to execute malicious scripts on a vulnerable system.

Technical Details:
This issue exists due to a lack of sanitization of user-supplied data. It is reported that an attacker may be able to upload content that will be saved on the server with a '.php' extension. When this file is requested by the attacker, the contents of the file will be parsed and executed by the PHP engine, rather than being sent.

Impact:
Successful exploitation of this issue may allow an attacker to execute malicious script code on a vulnerable server.

Detection Type:
Remote Banner

Solution Type:
Vendor Patch

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/10891

References:

http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0756.html

Search
Severity
Medium
CVSS Score
5.8

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.