Vulnerability Description
PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2-cvs and earlier allows remote attackers to execute arbitrary PHP code by modifying the G_PATH parameter to reference a URL on a remote web server that contains the code, as demonstrated in index.php when using .. (dot dot) sequences in the lng parameter to cause main.inc to be loaded.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Korweblog | Korweblog | 1.6.1 |
References
- http://marc.info/?l=bugtraq&m=110442847614890&w=2
- http://secunia.com/advisories/13700
- http://www.securityfocus.com/bid/12132Exploit
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18717
- http://marc.info/?l=bugtraq&m=110442847614890&w=2
- http://secunia.com/advisories/13700
- http://www.securityfocus.com/bid/12132Exploit
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18717
FAQ
What is CVE-2004-1427?
CVE-2004-1427 is a vulnerability with a CVSS score of 7.5 (HIGH). PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2-cvs and earlier allows remote attackers to execute arbitrary PHP code by modifying the G_PATH parameter to reference a URL on a r...
How severe is CVE-2004-1427?
CVE-2004-1427 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2004-1427?
Check the references section above for vendor advisories and patch information. Affected products include: Korweblog Korweblog.