Vortex Portal Content Management System Multiple Remote File Inclusion
Medium Nessus Network Monitor Plugin ID 2745
SynopsisThe remote host is vulnerable to a script injection attack.
DescriptionThe remote host is running Vortex Portal, a content-management system for gaming. This version of Vortex is vulnerable to an 'include' file injection attack. Specifically, the 'act' variable of 'content.php' and 'index.php' is not properly sanitized by the Vortex application. An attacker exploiting this flaw would be able to include arbitrary malicious code within a URI. The attacker would then need to be able to convince a client to browse to the URI. A successful attack would result in the client browser executing malicious code within the context of the Vortex application.
SolutionEnsure that this application is allowed within corporate policies and guidelines.