phpFox <= 3.0.1 (module.class.php) OS Command Injection Vulnerability

Description:

phpFox contains a flaw related to the Phpfox_Module::getComponent() method defined in the module.class.php script which not properly sanitize input passed via the ‘phpfox[call]’ or ‘core[call]’ parameters before using it in an eval() call. This may allow an attacker to inject and execute arbitrary OS commands.

References:

• CVE-2012-1300
• BID-52699
• EDB-18655
• http://www.phpfox.com/blog/v2-1-0-build-3-v3-0-1-build-3-released/

Disclosure Date:

March 23, 2012