CVE-2010-5094

The deleteinstallfiles function in control/ContentController.php in SilverStripe 2.3.x before 2.3.7 does not require ADMIN permissions, which allows remote attackers to delete index.php and "disrupt mod_rewrite-less URL routing."

Published: Aug 26, 2012
Updated: Apr 13, 2023
CVE: CVE-2010-5094
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
silverstripe / silverstripe	2.3.4	2.3.4.x
silverstripe / silverstripe	2.3.0-rc2	2.3.0-rc2.x
silverstripe / silverstripe	2.3.1-rc2	2.3.1-rc2.x
silverstripe / silverstripe	2.3.0-rc3	2.3.0-rc3.x
silverstripe / silverstripe	2.3.3	2.3.3.x
silverstripe / silverstripe	2.3.1	2.3.1.x
silverstripe / silverstripe	2.3.1-rc1	2.3.1-rc1.x
silverstripe / silverstripe	2.3.5	2.3.5.x
silverstripe / silverstripe	2.3.6	2.3.6.x
silverstripe / silverstripe	2.3.0	2.3.0.x
silverstripe / silverstripe	2.3.2	2.3.2.x
silverstripe / silverstripe	2.3.0-rc1	2.3.0-rc1.x

http://doc.silverstripe.org/sapphire/en/trunk/changelogs//2.3.7
http://open.silverstripe.org/changeset/101227
http://www.openwall.com/lists/oss-security/2012/04/30/1
http://www.openwall.com/lists/oss-security/2012/04/30/3
http://www.openwall.com/lists/oss-security/2012/05/01/3
http://www.silverstripe.org/security-releases

Vulnerability Database

CVE-2010-5094