Detections
Analytics

ionCube loader-wizard.php Remote Information Disclosure

medium Nessus Plugin ID 73331

Language:

Synopsis

The remote web server hosts a PHP script that is affected by an information disclosure vulnerability.

Description

The ionCube 'loader-wizard.php' script hosted on the remote web server is affected by a remote information disclosure vulnerability because the script fails to properly sanitize user-supplied input to the 'ininame' parameter. An attacker could potentially leverage this to view arbitrary files by forming a request containing directory traversal sequences.

Note that the 'loader-wizard.php' script is also reportedly affected by additional information disclosure issues as well as a cross-site scripting vulnerability; however, Nessus has not tested for these additional issues.

Solution

Upgrade to version 2.46 or later and remove access to or remove the 'loader-wizard.php' script.

See Also

http://www.nessus.org/u?9562db7d

Plugin Details

Severity: Medium

ID: 73331

File Name: ioncube_loader_wizard_info_disclosure.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 4/4/2014

Updated: 6/4/2024

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

CVSS Score Rationale: Information disclosure

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: manual

Vulnerability Information

CPE: cpe:/a:ioncube:php_encoder

Required KB Items: www/PHP, www/ioncube

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Exploited by Nessus: true

Patch Publication Date: 3/4/2014

Vulnerability Publication Date: 3/30/2014

Reference Information

BID: 66531