PHP Live! Helper < 2.1.0 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 4627

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The remote host is running PHP Live Helper, a customer support application.

This version of Live Helper is vulnerable to a number of flaws.

There is a SQL injection flaw when handling malformed data to the 'dep' parameter of the 'onlinestatus_html.php' script. An attacker exploiting this flaw would be able to execute arbitrary SQL commands against the database server.

There is a flaw in the way that the application handles data passed to the 'libsecure.php' source file. An attacker exploiting this flaw would be able to change the behavior of the database server.

There is a flaw in the way that the application handles data to the 'rg' parameter of the 'globalsoff.php' file. An attacker exploiting this flaw might be able to get arbitrary code executed via an 'eval()' function call.

Solution

Upgrade to version 2.1.0 or higher.

See Also

http://demos.turnkeywebtools.com/phplivehelper/docs/change_log.txt

Plugin Details

Severity: High

ID: 4627

Family: CGI

Published: 8/18/2008

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php_live:php_live

Reference Information

CVE: CVE-2008-3762, CVE-2008-3763, CVE-2008-3764

BID: 30729