CVE-2010-1337
Description
Multiple PHP remote file inclusion vulnerabilities in definitions.php in Lussumo Vanilla 1.1.10, and possibly 0.9.2 and other versions, allow remote attackers to execute arbitrary PHP code via a URL in the (1) include and (2) Configuration['LANGUAGE'] parameters.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Lussumo Vanilla 1.1.10 - 'definitions.php' Multiple Remote File Inclusions
source: https://www.securityfocus.com/bid/38889/info
Vanilla is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
Vanilla 1.1.10 and prior versions are vulnerable.
http://www.example.com/PATH/languages/yourlanguage/definitions.php?include= [inj3ct0r]
http://www.example.com/PATH/languages/yourlanguage/definitions.php?Configuration['LANGUAGE']= [inj3ct0r] Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| lussumo | vanilla | {"endIncluding":"1.1.10"} | |
| lussumo | vanilla | 0.9.2 | |
| lussumo | vanilla | 1.0.1 | |
| lussumo | vanilla | 1.0.2 | |
| lussumo | vanilla | 1.0.3 | |
| lussumo | vanilla | 1.1 | |
| lussumo | vanilla | 1.1.1 | |
| lussumo | vanilla | 1.1.2 | |
| lussumo | vanilla | 1.1.3 | |
| lussumo | vanilla | 1.1.4 | |
| lussumo | vanilla | 1.1.5 | |
| lussumo | vanilla | 1.1.6 | |
| lussumo | vanilla | 1.1.7 | |
| lussumo | vanilla | 1.1.8 | |
| lussumo | vanilla | 1.1.9 | |
References
- http://www.packetstormsecurity.com/1003-exploits/vanilla-rfi.txt
- http://www.securityfocus.com/bid/38889
- https://exchange.xforce.ibmcloud.com/vulnerabilities/57147
- http://www.packetstormsecurity.com/1003-exploits/vanilla-rfi.txt
- http://www.securityfocus.com/bid/38889
- https://exchange.xforce.ibmcloud.com/vulnerabilities/57147
CWEs
CWE-94
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.