GLSA-200605-04 : phpWebSite: Local file inclusion

This script is Copyright (C) 2006-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200605-04
(phpWebSite: Local file inclusion)

rgod has reported that the 'hub_dir' parameter in 'index.php'
isn't properly verified. When 'magic_quotes_gpc' is disabled, this can
be exploited to include arbitrary files from local ressources.

Impact :

If 'magic_quotes_gpc' is disabled, which is not the default on
Gentoo Linux, a remote attacker could exploit this issue to include and
execute PHP scripts from local ressources with the rights of the user
running the web server, or to disclose sensitive information and
potentially compromise a vulnerable system.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-200605-04.xml

Solution :

All phpWebSite users should upgrade to the latest available
version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-apps/phpwebsite-0.10.2'

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 21319 (gentoo_GLSA-200605-04.nasl)

Bugtraq ID:

CVE ID: CVE-2006-1819