Summary
The remote system contains a PHP application that is prone to remote file inclusions attacks.
Description :
Aardvark Topsites PHP is installed on the remote host. It is a open source Toplist management system written in PHP.
The application does not sanitize user-supplied input to the 'CONFIG[PATH]' variable in some PHP files. This allows an attacker to include arbitrary files from remote systems, and execute them with privileges under which the webserver operates.
The flaw is exploitable if PHP's 'register_globals' is set to on.
Solution
Disable PHP's 'register_globals' or upgrade to the latest release.
References
Severity
Classification
-
CVE CVE-2006-2149 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- @Mail WebMail Email Body HTML Injection Vulnerability
- AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- Adobe ColdFusion HTTP Response Splitting Vulnerability
- Apache Struts Directory Traversal Vulnerability