CVE-2007-4338 Information

Description

index.php in Ryan Haudenschilt Family Connections (FCMS) before 0.9 allows remote attackers to access an arbitrary account by placing the account’s name in the value of an fcms_login_id cookie. NOTE: this can be leveraged for code execution via a POST with PHP code in the content parameter.

Reference

http://osvdb.org/39534 http://secunia.com/advisories/26421 http://securityreason.com/securityalert/3009 http://sourceforge.net/tracker/index.php?func=detail&aid=1778696&group_id=189733&atid=930513 http://www.attrition.org/pipermail/vim/2007-August/001762.html http://www.attrition.org/pipermail/vim/2007-August/001768.html http://www.securityfocus.com/archive/1/476142/100/0/threaded http://www.securityfocus.com/archive/1/476293/100/0/threaded http://www.securityfocus.com/bid/25276 https://exchange.xforce.ibmcloud.com/vulnerabilities/35966