Title: PHPSlash Arbitrary Account Privilege Escalation Vulnerability
Severity: HIGH
Description:
phpSlash is an open source groupware utility implemented in PHP.
phpSlash is prone to a privilege escalation vulnerability.
The problem presents itself in 'Author.class::saveProfile' when the application utilizes the user controlled 'ary' variable, instead of the currently running 'author_id' to update user profile data. An attacker can supply an arbitrary account value to the 'ary' variable and modify that accounts profile data, including the account password.
Successful exploitation would result in an attacker gaining control of arbitrary accounts of the affected application. Hijacking of an administrator account could aid in further attacks against the underlying system.
The vendor has addressed this issue in phpSlash 0.8.1; earlier versions are reported vulnerable.
Affected Products:
- PHPSlash PHPSlash 0.5.32
- PHPSlash PHPSlash 0.6.1
- PHPSlash PHPSlash 0.7.1
- PHPSlash PHPSlash 0.7.2
- PHPSlash PHPSlash 0.8.0
References:
- phpSlash: phpSlash 0.8.1 release notes
- phpSlash: phpSlash Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
