Vote! Pro PHP *eval()* Injection Vulnerability

Posted on Tuesday, January 23, 2007 @ 11:40:03 PST in Security
by Raven



CRITICAL: Highly critical

IMPACT: System access

SOFTWARE: Vote! Pro 4.x -

DESCRIPTION: r0ut3r has reported a vulnerability in Vote! Pro, which can be exploited by malicious people to compromise vulnerable systems.

Input passed to the "poll_id" parameter in poll_frame.php is not properly sanitised before being used in "eval()" calls. This can be exploited to inject and execute arbitrary PHP code via a specially crafted parameter value. The vulnerability is reported in version 4.0. Other versions may also be affected.

NOTE: The "poll_id" eval() issue reportedly affects many other scripts in the product.

SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: r0ut3r
click Related        click Share
News ©

Site Info v2.2.2

Last SeenLast Seen
Server TrafficServer Traffic
  • Total: 367,536,213
  • Today: 69,831
Server InfoServer Info
  • Sep 24, 2018
  • 07:01 pm PDT

Daily Inspiration