CVE-2006-4733

Sažetak

PHP remote file inclusion vulnerability in sipssys/code/box.inc.php in Haakon Nilsen simple, integrated publishing system (SIPS) 0.3.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the config[sipssys] parameter. NOTE: the product's documentation recommends placing the affected file outside of the web root, so the scope of issue is limited to admins who do not, or cannot, follow this recommendation.

Reference

http://securityreason.com/securityalert/1549
http://sips.cvs.sourceforge.net/sips/sips/sipssys/code/box.inc.php?revision=1.9&view=markup
http://www.attrition.org/pipermail/vim/2007-February/001268.html
http://www.securityfocus.com/archive/1/445770/100/0/threaded
http://www.securityfocus.com/bid/19945
https://www.exploit-db.com/exploits/3245

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

17-10-2018 - 21:39

Objavljeno

13-09-2006 - 22:07