N/A

Direct static code injection vulnerability in the modify_config action in admin.php for PHP-Stats 0.1.9.1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the option_new[compatibility_mode] parameter, which is not filtered before being stored in config.php. NOTE: this vulnerability can be exploited by remote unauthenticated attackers in conjunction with the option[admin_pass] authentication bypass vulnerability.

N/A

N/A

PHP-Stats 'admin.php'直接静态代码注入漏洞

PHP-Stats 0.1.9.1及其早期版本的admin.php，其modify_config操作中存在直接静态代码注入漏洞，远程经过身份验证的管理员可以通过option_new[compatibility_mode] 参数(在存储到config.php中前未经过滤)执行任意PHP码。 注意：该漏洞会被远程未经身份验证的攻击者，通过选项[admin_pass] 身份验证绕过漏洞加以利用。

N/A

N/A