vendor:
by:
Trex
7.5
CVSS
HIGH
Remote File Disclosure
CWE
Product Name:
Affected Version From: WebSPELL <= 4.01.02
Affected Version To:
Patch Exists: YES
Related CWE:
CPE:
Platforms Tested:
2007
WebSPELL <= 4.01.02 (picture.php) Remote File Disclosure Vulnerability
This vulnerability allows an attacker to remotely disclose files on the target system. It works independently from PHP version but depends on PHP option register_globals (= on) or PHP versions (< 4.3.0). The exploit can be triggered by accessing the picture.php file with specific parameters.
Mitigation:
The recommended solution to this vulnerability is to apply the patch provided at http://fixes.trex-online.net/picture.rar.