Описание
Limbo CMS 1.0.4.2 and earlier, with register_globals off, does not protect the $_SERVER variable from external modification, which allows remote attackers to use the _SERVER[REMOTE_ADDR] parameter to (1) conduct cross-site scripting (XSS) attacks in the stats module or (2) execute arbitrary code via an eval injection attack in the wrapper option in index2.php.
Limbo CMS 1.0.4.2 and earlier, with register_globals off, does not protect the $_SERVER variable from external modification, which allows remote attackers to use the _SERVER[REMOTE_ADDR] parameter to (1) conduct cross-site scripting (XSS) attacks in the stats module or (2) execute arbitrary code via an eval injection attack in the wrapper option in index2.php.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2005-4317
- http://rgod.altervista.org/limbo1042_xpl.html
- http://secunia.com/advisories/18063
- http://securityreason.com/securityalert/255
- http://securitytracker.com/id?1015364
- http://www.osvdb.org/21754
- http://www.osvdb.org/21756
- http://www.securityfocus.com/archive/1/419470/100/0/threaded
- http://www.securityfocus.com/bid/15871
- http://www.vupen.com/english/advisories/2005/2932
EPSS
CVE ID
Связанные уязвимости
Limbo CMS 1.0.4.2 and earlier, with register_globals off, does not protect the $_SERVER variable from external modification, which allows remote attackers to use the _SERVER[REMOTE_ADDR] parameter to (1) conduct cross-site scripting (XSS) attacks in the stats module or (2) execute arbitrary code via an eval injection attack in the wrapper option in index2.php.
EPSS