* Technical Description *
Multiple vulnerabilities were identified in phpAdsNew, which could be exploited by remote attackers to execute arbitrary commands.
The first issue is due to an input validation error in the XML-RPC library when processing, via an "eval()" call, certain XML tags nested in parsed documents, which could be exploited by remote attackers to execute arbitrary PHP commands. For additional information, see : FrSIRT/ADV-2005-1413
The second vulnerability is due to an input validation error in "lib-view-direct.inc.php" when processing a specially crafted "clientid" variable, which could be exploited by malicious users to conduct SQL injection attacks.
The third flaw is due to an input validation error when processing specially crafted parameters, which may be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the web server.
* Affected Products *
phpAdsNew versions prior to 2.0.6
* Solution *
Upgrade to phpAdsNew version 2.0.6 :
http://prdownloads.sourceforge.net/phpadsnew/ * References *
http://www.frsirt.com/english/advisories/2005/1446
AlphaOne Technology Support Forums
Author
Logged
