PmWiki Multiple Script "GLOBALS" Array Handling Remote Vulnerabilities


Description   Multiple vulnerabilities were identified in PmWiki, which could be exploited by remote attackers to execute arbitrary commands and scripting code. These flaws are due to various errors in the unregister "register_globals" layer when processing "GLOBALS" variables, which could be exploited by malicious people to include arbitrary files, conduct cross site scripting attacks, and disclose sensitive information.
     
Vulnerable Products   Vulnerable Software:
PmWiki version 2.0.13 and priorPmWiki version 2.1 beta 20 and prior
     
Solution   Upgrade to PmWiki version 2.1 beta 21 : http://www.pmwiki.org/wiki/PmWiki/Download
     
CVE   CVE-2006-0479
     
References   http://www.ush.it/2006/01/24/pmwiki-multiple-vulnerabilities/
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
PHP : Remote file inclusion prevention: suspicious GLOBALS variable
3.2.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2006-01-30 

 Target Type 
Server 

 Possible exploit 
Local & Remote