CRE Loaded Multiple Security Bypass Vulnerabilities Network Vulnerability

Summary

The host is running CRE Loaded and is prone to Security bypass vulnerability.

Impact

Successful exploitation will allow attacker to bypass authentication and gain administrator privileges. Impact Level: Application

Solution

Upgrade to CRE Loaded version 6.4.0 or later For updates refer to http://www.creloaded.com/

Insight

The flaws are due to - An error when handling 'PHP_SELF' variable, by includes/application_top.php and admin/includes/application_top.php. - Request, with 'login.php' or 'password_forgotten.php' appended as the 'PATH_INFO', which bypasses a check that uses 'PHP_SELF', which is not properly handled by includes/application_top.php and admin/includes/application_top.php.

Affected

CRE Loaded version before 6.4.0

References

http://hosting-4-creloaded.com/node/116
https://www.creloaded.com/fdm_file_detail.php?file_id=191

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-5076, CVE-2009-5077
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Artmedic Kleinanzeigen File Inclusion Vulnerability
A-A-S Application Access Server Multiple Vulnerabilities
Apache Struts2 Showcase Skill Name Remote Code Execution Vulnerability
Adobe ColdFusion Information Disclosure Vulnerability
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities

Take action and discover your vulnerabilities