Quick Polls 1.0.1 Local File Inclusion and Deletion Vulnerability (CVE-2011-1099)

Key Information Summary Vulnerability Information Name: Quick Polls 1.0.1 Local File Inclusion / Deletion CVE ID: CVE-2011-1099 CWE ID: CWE-22 Risk Level: Medium Description Description: Two vulnerabilities exist in Quick Polls, allowing Local File Inclusion (LFI) and Local File Deletion (LFD), due to a null byte attack on functions in index.php. Version: 1.0.1 PoC Exploit Local File Inclusion (LFI): Local File Deletion (LFD): Notes Note: must be disabled for the null byte attack to be effective. Solution Upgrade to version 1.0.2 or later Timeline 02/05/2011 - Initial vendor disclosure 02/07/2011 - Vendor fixes and releases new version 02/07/2011 - Confirmed public disclosure date with vendor 03/06/2011 - Public disclosure References http://www.focalmedia.net/create_voting_poll.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1099 http://www.uncompiled.com/2011/03/quick-polls-local-file-inclusion-deletion-vulnerabilities-cve-2011-1099/

Goal Reached Thanks to every supporter — we hit 100%!

Quick Polls 1.0.1 Local File Inclusion and Deletion Vulnerability (CVE-2011-1099)