Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
NameCVE-2008-4304First vendor Publication2008-12-23
VendorCveLast vendor Modification2017-08-07

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Security Protection

ImpactsProvides administrator access : Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service.

Detail

general/login.php in phpCollab 2.5 rc3 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified input related to the SSL_CLIENT_CERT environment variable. NOTE: in some environments, SSL_CLIENT_CERT always has a base64-encoded string value, which may impose constraints on injection for typical shells.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4304

CAPEC : Common Attack Pattern Enumeration & Classification

idName
CAPEC-6Argument Injection
CAPEC-15Command Delimiters
CAPEC-43Exploiting Multiple Input Interpretation Layers
CAPEC-88OS Command Injection
CAPEC-108Command Line Execution through SQL Injection

CWE : Common Weakness Enumeration

%idName
100 %CWE-78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application8

OpenVAS Exploits

DateDescription
2008-12-23Name : Gentoo Security Advisory GLSA 200812-20 (phpcollab)
File : nvt/glsa_200812_20.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
50949phpCollab general/login.php SSL_CLIENT_CERT Environment Variable Shell Metach...

Nessus® Vulnerability Scanner

DateDescription
2008-12-22Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200812-20.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

SourceUrl
BID http://www.securityfocus.com/bid/32964
CONFIRM http://bugs.gentoo.org/show_bug.cgi?id=235052
GENTOO http://security.gentoo.org/glsa/glsa-200812-20.xml
XF https://exchange.xforce.ibmcloud.com/vulnerabilities/47522

Alert History

If you want to see full details history, please login or register.
0
1
2
3
DateInformations
2017-08-08 09:24:24
  • Multiple Updates
2016-04-26 17:51:51
  • Multiple Updates
2014-02-17 10:46:46
  • Multiple Updates
2013-05-11 00:27:09
  • Multiple Updates