PHP Live! Helper < 2.1.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 4627

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The remote host is running PHP Live Helper, a customer support application.

This version of Live Helper is vulnerable to a number of flaws.

There is a SQL injection flaw when handling malformed data to the 'dep' parameter of the 'onlinestatus_html.php' script. An attacker exploiting this flaw would be able to execute arbitrary SQL commands against the database server.

There is a flaw in the way that the application handles data passed to the 'libsecure.php' source file. An attacker exploiting this flaw would be able to change the behavior of the database server.

There is a flaw in the way that the application handles data to the 'rg' parameter of the 'globalsoff.php' file. An attacker exploiting this flaw might be able to get arbitrary code executed via an 'eval()' function call.

Solution

Upgrade to version 2.1.0 or higher.

See Also

http://demos.turnkeywebtools.com/phplivehelper/docs/change_log.txt

Plugin Details

Severity: High

ID: 4627

File Name: 4627.prm

Family: CGI

Published: 2008/08/18

Modified: 2016/01/15

Dependencies: 1442

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php_live:php_live

Reference Information

CVE: CVE-2008-3762, CVE-2008-3763, CVE-2008-3764

BID: 30729

OSVDB: 47632, 47633, 47634