Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Apr 2014 10:16:43 +0100
From: Pedro Ribeiro <pedrib@...il.com>
To: oss-security@...ts.openwall.com
Cc: Bernhard Rusch <Bernhard.Rusch@...ments.at>
Subject: Remote code execution in Pimcore CMS

Hi,

I have discovered a PHP object injection in Pimcore CMS.

Depending on the PHP version under which Pimcore is running, it is possible
to achieve remote code execution in the worst case, and arbitrary file
deletion at best.

Please find attached the report, which is also available at

https://github.com/pedrib/PoC/blob/master/pimcore-2.1.0.txt

Can you please provide a CVE number for this?

Thanks in advance.

Regards
Pedro

Content of type "text/html" skipped

View attachment "pimcore-2.1.0.txt" of type "text/plain" (7191 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ