CVE-2005-1755 in PHP Poll Creatorinfo

Summary

by MITRE

PHP remote file inclusion vulnerability in poll_vote.php in PHP Poll Creator 1.01 allows remote attackers to execute arbitrary PHP code via the relativer_pfad parameter.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/31/2017

The vulnerability identified as CVE-2005-1755 represents a critical remote file inclusion flaw in PHP Poll Creator version 1.01 that exposes systems to arbitrary code execution attacks. This vulnerability specifically affects the poll_vote.php script which fails to properly validate user input parameters, creating an avenue for malicious actors to inject and execute arbitrary PHP code on the target server. The flaw manifests through the relativer_pfad parameter which is directly used in file inclusion operations without adequate sanitization or validation checks.

From a technical perspective, this vulnerability falls under the category of insecure direct object references and improper input validation as classified by CWE-22 and CWE-94. The vulnerability exploits the lack of proper parameter validation in the poll_vote.php script where the relativer_pfad variable is directly incorporated into a file inclusion statement. Attackers can manipulate this parameter to point to malicious remote files or local paths that contain malicious PHP code, effectively allowing remote code execution on the vulnerable system. The vulnerability is particularly dangerous because it does not require authentication or special privileges to exploit, making it accessible to any remote attacker who can submit requests to the affected application.

The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise and potential data breaches. Successful exploitation allows attackers to execute arbitrary commands on the web server, potentially leading to full system control, data exfiltration, and persistence mechanisms. The vulnerability can be leveraged to establish backdoors, install malware, or use the compromised server as a launching point for further attacks within the network infrastructure. Organizations running vulnerable versions of PHP Poll Creator face significant risk of unauthorized access, system compromise, and potential regulatory violations due to the exposure of sensitive data and systems.

Mitigation strategies for this vulnerability should prioritize immediate patching and updates to the PHP Poll Creator application to version 1.02 or later where the vulnerability has been addressed. System administrators should implement input validation controls that sanitize all user-supplied parameters before they are used in file operations, particularly focusing on the relativer_pfad parameter. Network-level protections such as web application firewalls can provide additional defense-in-depth measures by monitoring for suspicious patterns in incoming requests that attempt to exploit this vulnerability. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other applications, with particular attention to file inclusion functions and parameter handling. Organizations should also implement the principle of least privilege by restricting file inclusion operations to specific directories and ensuring that user input cannot traverse to unauthorized file paths, aligning with security best practices outlined in the MITRE ATT&CK framework under the execution and persistence domains.

Reservation

05/26/2005

Disclosure

12/31/2005

Moderation

accepted

Entry

VDB-27835

CPE

ready

EPSS

0.02469

KEV

no

Activities

very low

Sector

Education

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!