Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-2487

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2006-2487
Last Modified 07 Mar 2011 09:36:17
Published 19 May 2006 07:02:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-2487

Summary

Multiple PHP remote file inclusion vulnerabilities in ScozNews 1.2.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the CONFIG[main_path] parameter in (1) functions.php, (2) template.php, (3) news.php, (4) help.php, (5) mail.php, (6) Admin/admin_cats.php, (8) Admin/admin_edit.php, (9) Admin/admin_import.php, and (10) Admin/admin_templates.php. NOTE: this might be resultant from a variable overwrite issue.

Vulnerable Systems

Application

  • Scoznet Scoznews 1.2.1


References

VUPEN - ADV-2006-1847

BID - 18027

SECUNIA - 20156

MILW0RM - 1800

XF - scoznews-functions-file-include(27717)

XF - scoznews-mainpath-file-include(26520)

BUGTRAQ - 20060713 ScozNews Final-Php <=1.1 Remote File Inclusion Vulnerability

OSVDB - 25616

SECTRACK - 1016491


Last Updated: 27 May 2016 10:42:29