Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PHP Advanced Transfer Manager <= 1.30 Multiple Vulnerabilities



The remote host is vulnerable to multiple attack vectors.


The version of PHP Advanced Transfer Manager on the remote host suffers from multiple information disclosure and cross-site scripting flaws. For example, by calling the text or HTML viewer directly, an unauthenticated attacker can view arbitrary files, possibly even from remote hosts, provided PHP's 'register_globals' setting is enabled. As another example, an attacker can issue a request for '/PATH/users/username' and retrieve sensitive user credentials. In addition, selected PHP settings on the remote host can be disclosed by accessing the 'test.php' script directly.


Disable PHP's 'register_globals' setting and remove the 'test.php' script.