[Japanese]

JVNDB-2008-000049

Vulnerability in La!cooda WIZ and LacoodaST allowing an arbitrary PHP script execution

Overview

La!cooda WIZ and LacoodaST contain a vulnerability which may allow a malicious user to execute an arbitrary PHP script on the server.

La!cooda WIZ from System Consultants Co., Ltd. and LacoodaST from SpaceTag, Inc. are groupware providing schedule and task managements, etc. La!cooda WIZ and LacoodaST contain a vulnerability which may allow a malicious user to execute an arbitrary PHP script on the server.

Hirotaka Katagiri reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


System Consultants Co.,Ltd.
  • La!coodaWIZ 1.4.0 and earlier
SPACETAG INC.
  • LacoodaST 2.1.3 and earlier

Impact

If an arbitrary PHP script is executed, files on the server could be deleted or disclosed.
Solution

[Update the Software]
Apply the latest updates provided by the vendors.
For more information, refer to the vendors' websites.
Vendor Information

System Consultants Co.,Ltd.
  • La!cooda WIZ : Details (Japanese)
SPACETAG INC.
CWE (What is CWE?)

  1. Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-3737
References

  1. JVN : JVN#53886050
  2. National Vulnerability Database (NVD) : CVE-2008-3737
  3. Secunia Advisory : SA31582
  4. Secunia Advisory : SA31574
  5. SecurityFocus : 30791
  6. ISS X-Force Database : 44594
  7. JVN iPedia (Japanese) : JVNDB-2008-000049
Revision History

  • [2008/09/02]
      Web page published

Date Public2008/08/21
Date First Published2008/09/02
Date Last Updated2008/09/02