English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsSA38524

JaxCMS "p" Local File Inclusion Vulnerability


Secunia ID

SA38524
CVE-ID

CVE-2010-1043
Release Date

08 Feb 2010
Last Change

26 Mar 2010
Criticality

Moderately Critical
Solution Status

Unpatched
Software

JaxCMS 1.x
Where

From remote
Impact
Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.
Description

A vulnerability has been discovered in JaxCMS, which can be exploited by malicious people to disclose potentially sensitive information.

Input passed to the "p" parameter in index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

The vulnerability is discovered in version 1.0. Other versions may also be affected.
Solution

Edit the source code to ensure that input is properly verified.
Reported by

Hamza 'MizoZ' N.

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search