Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-3136

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2006-3136
Last Modified 08 Sep 2011 12:00:00
Published 22 Jun 2006 06:06:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-3136

Summary

** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Nucleus 3.23 allow remote attackers to execute arbitrary PHP code via a URL the DIR_LIBS parameter in (1) path/action.php, and to files in path/nucleus including (2) media.php, (3) /xmlrpc/server.php, and (4) /xmlrpc/api_metaweblog.inc.php. NOTE: this is a similar vulnerability to CVE-2006-2583. NOTE: this issue has been disputed by third parties, who state that the DIR_LIBS parameter is defined in an include file before being used.

Vulnerable Systems

Application

  • Nucleus Group Nucleus Cms 3.0

  • Nucleus Group Nucleus Cms 3.0 1

  • Nucleus Group Nucleus Cms 3.0 Rc

  • Nucleus Group Nucleus Cms 3.1

  • Nucleus Group Nucleus Cms 3.2

  • Nucleus Group Nucleus Cms 3.21

  • Nucleus Group Nucleus Cms 3.22

  • Nucleus Group Nucleus Cms 3.23


References

VUPEN - ADV-2006-2408

BID - 18475

BUGTRAQ - 20060617 Re: file include exploits in nucleus 3.23

BUGTRAQ - 20060616 file include exploits in nucleus 3.23

OSVDB - 27502

SECTRACK - 1016325

SREASON - 1120


Last Updated: 27 May 2016 10:42:54