Web application abuses : VICIdial 'manager_send.php' Command Injection Vulnerability

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.103821

Categoría: Web application abuses

Título: VICIdial 'manager_send.php' Command Injection Vulnerability

Resumen: VICIdial is prone to a command-injection vulnerability because; the application fails to properly sanitize user-supplied input.

Descripción: Summary:
VICIdial is prone to a command-injection vulnerability because
the application fails to properly sanitize user-supplied input.

Vulnerability Insight:
In multiple locations, there are calls to passthru() that do not
perform any filtering or sanitization on the input.

Vulnerability Impact:
An attacker may leverage this issue to execute arbitrary commands
in the context of the affected application.

Affected Software/OS:
VICIdial 2.7RC1, 2.7 and 2.8-403a are vulnerable.
Other versions may also be affected.

Solution:
Ask the Vendor for an update.

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2013-4468
http://www.exploit-db.com/exploits/29513
https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/
http://www.openwall.com/lists/oss-security/2013/10/23/10
http://www.openwall.com/lists/oss-security/2013/10/25/1
Common Vulnerability Exposure (CVE) ID: CVE-2013-4467
BugTraq ID: 63340
http://www.securityfocus.com/bid/63340
https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb
http://seclists.org/oss-sec/2013/q4/171
http://seclists.org/oss-sec/2013/q4/175
http://osvdb.org/98903
http://secunia.com/advisories/55453

Copyright Copyright (C) 2013 Greenbone Networks GmbH

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.103821
Categoría:	Web application abuses
Título:	VICIdial 'manager_send.php' Command Injection Vulnerability
Resumen:	VICIdial is prone to a command-injection vulnerability because; the application fails to properly sanitize user-supplied input.
Descripción:	Summary: VICIdial is prone to a command-injection vulnerability because the application fails to properly sanitize user-supplied input. Vulnerability Insight: In multiple locations, there are calls to passthru() that do not perform any filtering or sanitization on the input. Vulnerability Impact: An attacker may leverage this issue to execute arbitrary commands in the context of the affected application. Affected Software/OS: VICIdial 2.7RC1, 2.7 and 2.8-403a are vulnerable. Other versions may also be affected. Solution: Ask the Vendor for an update. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2013-4468 http://www.exploit-db.com/exploits/29513 https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/ http://www.openwall.com/lists/oss-security/2013/10/23/10 http://www.openwall.com/lists/oss-security/2013/10/25/1 Common Vulnerability Exposure (CVE) ID: CVE-2013-4467 BugTraq ID: 63340 http://www.securityfocus.com/bid/63340 https://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb http://seclists.org/oss-sec/2013/q4/171 http://seclists.org/oss-sec/2013/q4/175 http://osvdb.org/98903 http://secunia.com/advisories/55453
Copyright	Copyright (C) 2013 Greenbone Networks GmbH