Re: CVE Request: CrawlTrack < 3.2.7 - remote php code execution

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> Versions of CrawlTrack prior to 3.2.7 are, according to the vendor,
> vulnerable to a remote PHP code execution attack if the stats pages
> are public
>
> Vendor changelog: http://www.crawltrack.net/changelog.php
>
> The attack vector isn't disclosed but a diff between 3.2.6 and 3.2.7
> show the vendor's fix was to escape special characters (using
> http://php.net/htmlspecialchars ) in values supplied through POST
> variables.

Please use CVE-2010-4537

Thanks.

-- 
    JB