CVE-2006-6629 - lib/WeBWorK/PG/Translator.pm in WeBWorK Program Generation (PG) Language before 2.3.1 uses an insuff

CVE-2006-6629

Summary

lib/WeBWorK/PG/Translator.pm in WeBWorK Program Generation (PG) Language before 2.3.1 uses an insufficiently restrictive regular expression to determine valid macro filenames, which allows attackers to load arbitrary macro files whose names contain the strings (1) dangerousMacros.pl, (2) PG.pl, or (3) IO.pl. This vulnerability is addressed in the following product release: WeBWorK, Program Generation Language, 2.3.1

References

Vulnerable Configurations

cpe:2.3:a:webwork:program_generation_language:*:*:*:*:*:*:*:*
cpe:2.3:a:webwork:program_generation_language:*:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 08-03-2011 - 02:46)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	21614
confirm	http://devel.webwork.rochester.edu/twiki/bin/view/Webwork/PGLanguageRelease2pt3pt1
vupen	ADV-2006-5026

Last major update

08-03-2011 - 02:46

Published

18-12-2006 - 11:28

Last modified

08-03-2011 - 02:46