CVE-2016-9484

PHP FormMail Generator generates PHP code for standard web forms, and the code generated does not properly validate user input folder directories and is vulnerable to path traversal

Description

The generated PHP form code does not properly validate user input folder directories, allowing a remote unauthenticated attacker to perform a path traversal and access arbitrary files on the server. The PHP FormMail Generator website does not use version numbers and is updated continuously. Any PHP form code generated by this website prior to 2016-12-06 may be vulnerable.

Remediation

Solution:

The PHP FormMail Generator website as of 2016-12-06 generates PHP code that addresses these issues. Affected users are encouraged to regenerate the PHP form code using the website, or manually apply patches.

References

Link	Tags
https://www.kb.cert.org/vuls/id/494015	third party advisory us government resource
http://www.securityfocus.com/bid/94778	vdb entry third party advisory

Frequently Asked Questions

What is the severity of CVE-2016-9484?: CVE-2016-9484 has been scored as a high severity vulnerability.
How to fix CVE-2016-9484?: To fix CVE-2016-9484: The PHP FormMail Generator website as of 2016-12-06 generates PHP code that addresses these issues. Affected users are encouraged to regenerate the PHP form code using the website, or manually apply patches.
Is CVE-2016-9484 being actively exploited in the wild?: It is possible that CVE-2016-9484 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~6% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-9484?: CVE-2016-9484 affects PHP FormMail Generator.

Description

Remediation

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions