Contenido < 4.6.4 class.inuse.php Multiple Parameter Remote File Inclusion

High Nessus Network Monitor Plugin ID 3323

Synopsis

The remote host is vulnerable to an flaw that allows attackers to execute arbitrary commands

Description

The remote host is running Contenido, a web content-management application. This version of Contenido is vulnerable to an unspecified 'command execution' flaw. It is reported that an attacker can, by sending a malformed query, coerce the application into running system commands. This flaw can only be executed if the "allow_url_fopen" and "register_globals" PHP variables are enabled. Successful exploitation would result in loss of confidential data as well as a compromise of system integrity.

Solution

Upgrade to version 4.6.4 or higher.

See Also

http://sourceforge.net/projects/contenidocms

Plugin Details

Severity: High

ID: 3323

Family: CGI

Published: 2005/12/09

Modified: 2016/01/15

Dependencies: 1442

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 7

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:contenido:contendio

Reference Information

CVE: CVE-2005-4132

BID: 15790