CVE-2008-6934

Static code injection vulnerability in Sanus|artificium (aka Sanusart) Free simple guestbook PHP script, when downloaded before 20081111, allows remote attackers to inject arbitrary PHP code into messages.txt via the message parameter to act.php, which is executed when guestbook/guestbook.php is accessed. NOTE: some of these details are obtained from third party information.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/32643	Vendor Advisory
http://www.sanusart.com/news.php
http://www.vupen.com/english/advisories/2008/3095	Vendor Advisory
http://osvdb.org/49703
http://www.securityfocus.com/bid/32240	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/46526
https://www.exploit-db.com/exploits/7079

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:sansuart:free_simple_guestbook_php_script:*:*:*:*:*:*:*:*

Information

Published : 2009-08-11 14:00

Updated : 2017-09-28 18:33

NVD link : CVE-2008-6934

Mitre link : CVE-2008-6934

JSON object : View

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

Advertisement

Products Affected

sansuart

free_simple_guestbook_php_script

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://secunia.com/advisories/32643", "name": "32643", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.sanusart.com/news.php", "name": "http://www.sanusart.com/news.php", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.vupen.com/english/advisories/2008/3095", "name": "ADV-2008-3095", "tags": ["Vendor Advisory"], "refsource": "VUPEN"}, {"url": "http://osvdb.org/49703", "name": "49703", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.securityfocus.com/bid/32240", "name": "32240", "tags": ["Exploit"], "refsource": "BID"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46526", "name": "spgs-act-code-execution(46526)", "tags": [], "refsource": "XF"}, {"url": "https://www.exploit-db.com/exploits/7079", "name": "7079", "tags": [], "refsource": "EXPLOIT-DB"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Static code injection vulnerability in Sanus|artificium (aka Sanusart) Free simple guestbook PHP script, when downloaded before 20081111, allows remote attackers to inject arbitrary PHP code into messages.txt via the message parameter to act.php, which is executed when guestbook/guestbook.php is accessed. NOTE: some of these details are obtained from third party information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-94"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2008-6934", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2009-08-11T21:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:sansuart:free_simple_guestbook_php_script:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-09-29T01:33Z"}