vendor:
ShoutPro
by:
Gammarays
7.5
CVSS
HIGH
PHP Code Injection
94
CWE
Product Name: ShoutPro
Affected Version From: ShoutPro 1.5.2 (may affect earlier versions)
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2007
ShoutPro PHP Code Injection
ShoutPro 1.5.2 fails to fully sanitize user input ($shout) that it writes to the shouts.php file when adding a new message, this can result in the injection and execution of arbitrary PHP code.
Mitigation:
1) Add code to perform strip_tags() on $shout in shoutbox.php2) Prevent direct access to shouts.php with a .htaccess file