CVE-2007-6632 - Code Injection vulnerability in Xml2Owl 0.1.1

Publication

2008-01-04

Last modification

2017-09-29

Summary

showCode.php in xml2owl 0.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter.

Description

The 'xml2owl' program is prone to a vulnerability that allows attackers to execute arbitrary PHP commands.An attacker may leverage this issue to run arbitrary PHP commands with the privileges of the server process. This can compromise the application and possibly the underlying server.This issue affects xml2owl 0.1.1; other versions may be vulnerable as well.

Solution

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: info@vumetric.com.

Exploit

An attacker can exploit this vulnerability with a browser.The following proof of concept is available:http://www.example.com/showCode.php?path=;uname -a

Classification

CWE-94 - Code Injection

Risk level (CVSS AV:N/AC:M/Au:N/C:P/I:P/A:P)

Medium

6.8

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Xml2Owl Xml2Owl  0.1.1