phpFox <= 3.0.1 (module.class.php) OS Command Injection Vulnerability


phpFox contains a flaw related to the Phpfox_Module::getComponent() method defined in the module.class.php script which not properly sanitize input passed via the ‘phpfox[call]’ or ‘core[call]’ parameters before using it in an eval() call. This may allow an attacker to inject and execute arbitrary OS commands.


Disclosure Date:

March 23, 2012