WebYep



WebYepModified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Current Description

Multiple PHP remote file inclusion vulnerabilities in WebYep 1.1.9, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the webyep_sIncludePath in (1) files in the programm/lib/ directory including (a) WYApplication.php, (b) WYDocument.php, (c) WYEditor.php, (d) WYElement.php, (e) WYFile.php, (f) WYHTMLTag.php, (g) WYImage.php, (h) WYLanguage.php, (i) WYLink.php, (j) WYPath.php, (k) WYPopupWindowLink.php, (l) WYSelectMenu.php, and (m) WYTextArea.php; (2) files in the programm/elements/ directory including (n) WYGalleryElement.php, (o) WYGuestbookElement.php, (p) WYImageElement.php, (q) WYLogonButtonElement.php, (r) WYLongTextElement.php, (s) WYLoopElement.php, (t) WYMenuElement.php, and (u) WYShortTextElement.php; and (3) programm/webyep.php.

A quick introduction to setup and usage of WebYep within RapidWeaver, using the WebYep stacks by Stacks4Stacks. You may visit the Royalton Township office to obtain a printed copy of the Township Map. View/print Township Map. The WebYep stacks work with both the free version of WebYep and the forthcoming commercial version. The commercial version of WebYep is unbranded, with support for a REDACTOR rich text editor and file manager. You can use WebYep in RapidWeaver without the stacks. But our stacks make the setup of editable content regions in your pages much easier. WebYep 1.1.9 - 'webyepsIncludePath' File Inclusion. Webapps exploit for PHP platform.

Webyep download

WebYep is Web Content Management System. WebYep is now Open Source. There are many WebCMS available, even Open Source, but WebYep is different: WebYep is designed to be simple. It's easier to get started and understand all its features. WebYep does not require a database server. WebYep is available in German and English.

Webuypackaging.com

Analysis Description

Multiple PHP remote file inclusion vulnerabilities in WebYep 1.1.9, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the webyep_sIncludePath in (1) files in the programm/lib/ directory including (a) WYApplication.php, (b) WYDocument.php, (c) WYEditor.php, (d) WYElement.php, (e) WYFile.php, (f) WYHTMLTag.php, (g) WYImage.php, (h) WYLanguage.php, (i) WYLink.php, (j) WYPath.php, (k) WYPopupWindowLink.php, (l) WYSelectMenu.php, and (m) WYTextArea.php; (2) files in the programm/elements/ directory including (n) WYGalleryElement.php, (o) WYGuestbookElement.php, (p) WYImageElement.php, (q) WYLogonButtonElement.php, (r) WYLongTextElement.php, (s) WYLoopElement.php, (t) WYMenuElement.php, and (u) WYShortTextElement.php; and (3) programm/webyeb.php.

Severity

CVSS 3.x Severity and Metrics:
NIST:NVD
NVD score not yet provided.

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.
Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.
CVSS 2.0 Severity and Metrics:
NIST:NVD
Webyep 2
Vector:HyperlinkResourcehttp://advisories.echo.or.id/adv/adv48-theday-2006.txtVendor Advisoryhttp://securityreason.com/securityalert/1702http://securitytracker.com/id?1017023http://www.obdev.at/products/webyep/release-notes.htmlhttp://www.securityfocus.com/archive/1/448009/100/0/threadedhttp://www.securityfocus.com/bid/20406Exploithttp://www.vupen.com/english/advisories/2006/3972Vendor Advisoryhttps://exchange.xforce.ibmcloud.com/vulnerabilities/29397https://www.exploit-db.com/exploits/2496

Weakness Enumeration

CWE-IDCWE NameSource
CWE-94Improper Control of Generation of Code ('Code Injection')NIST

Known Affected Software Configurations Switch to CPE 2.2

WebYep

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Objective Development has announced the availability of new plug-ins for its Web Content Management System (CMS) WebYep that enable it to support the visual Web page editors RapidWeaver and Freeway Pro. WebYep costs €29 (US$38.17) per Web site.

Webuypinball.com

Aimed at small and medium-sized Web sites, WebYep is a CMS developed for Web designers who don’t want to learn PHP in order to make their Web sites editable. It enables users to edit text and upload images, use CSS-based text formatting, recognizes links and e-mail addresses and can encode such to hide them from spam spider engines. You can also use WebYep to build basic menus tructures, repeat elements on a page, attach files and more.

WebYep already supports Adobe Dreamweaver; now the new plug-ins enable it to work with RapidWeaver from RealMac software or Softpress’ Freeway Pro, two visual Web page editors for Mac OS X.

Webuypm.com

The WebYep Actions Suite for Freeway was developed by a third party and costs an additional £20 (US$39.24) — more details are available from the download page.

System requirements call for a Web server with PHP4 support; Dreamweaver MX, MX 2004 or 8, RapidWeaver 3.5 or later and Freeway Pro 4 or later.