• IDP Daily Update #1312
  posted: 11/18/08
  
• NSM Daily Update #1312
  posted: 11/18/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1312
  posted: 11/18/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1300
  posted: 11/18/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 11/17/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Freeway 'language' Parameter Multiple Local File Include Vulnerabilities

Severity: MODERATE

Description:

Freeway is an open-source ecommerce application implemented in PHP.

The application is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input to the 'language' parameter of the following scripts:

'includes/events_application_top.php'
'includes/languages/english/account.php'
'includes/languages/french/account.php'
'includes/languages/french/account_newsletters.php'
'includes/modules/faqdesk/faqdesk_article_require.php'
'includes/modules/newsdesk/newsdesk_article_require.php'
'templates/Freeway/boxes/card1.php'
'templates/Freeway/boxes/loginbox.php'
'templates/Freeway/boxes/whos_online.php'
'templates/Freeway/mainpage_modules/mainpage.php'

An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.

Freeway 1.4.1.171 is vulnerable; other versions may also be affected.

Affected Products:

• Freeway Project Freeway 1.4.1.171

References:

• Freeway Project: Freeway 1.4.2.197 patch notes
• Freeway Project: Freeway Homepage