2010/4/18 MustLive <mustlive (at) websecurity.com (dot) ua [email concealed]>:
>
> Command Execution:
>
> It's possible to upload arbitrary files (shell upload) via module â??Banner
> systemâ? in admin panel.
>
This is not a command execution vulnerability but an arbitrary file
upload vulnerability with very very low risk (you need to know the
access to the control panel). Many web hosting provider doesn't allow
an user to execute commands using the classic functions, such as
system, shell_execute and others.
>
> Command Execution:
>
> It's possible to upload arbitrary files (shell upload) via module â??Banner
> systemâ? in admin panel.
>
This is not a command execution vulnerability but an arbitrary file
upload vulnerability with very very low risk (you need to know the
access to the control panel). Many web hosting provider doesn't allow
an user to execute commands using the classic functions, such as
system, shell_execute and others.
--
Salvatore Fresta aka Drosophila
http://www.salvatorefresta.net
CWNP444351
[ reply ]