Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-2460

Overview

Vulnerability Score 6.4 6.4
CVE Id CVE-2006-2460
Last Modified 07 Mar 2011 09:36:14
Published 19 May 2006 06:02:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-2460

Summary

Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter.

Vulnerable Systems

Application

  • Sugarcrm 3.5

  • Sugarcrm 4.0

  • Sugarcrm 4.1

  • Sugarcrm 4.2


References

VUPEN - ADV-2006-1791

BID - 17987

BUGTRAQ - 20060515 Sugar Suite Open Source <= 4.2 "OptimisticLock!" arbitrary remote inclusion exploit

SECTRACK - 1016087

SECUNIA - 20072

MISC - http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html

XF - sugarsuite-modules-file-include(26451)

OSVDB - 25532

SREASON - 921

MILW0RM - 1785


Last Updated: 27 May 2016 10:42:28