Summary
The remote web server contains a PHP script that is affected by a remote file include issue.
Description:
The remote web server is running MODx CMS, an open source content management system.
The version of MODx CMS installed on the remote host fails to sanitize input to the 'base_path' parameter before using it in the 'manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php' script to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker can exploit this issue to view arbitrary files and execute arbitrary code, possibly taken from third-party hosts, on the remote host.
Solution
Update to version 0.9.2.2 or later.
References
Updated on 2017-03-28
Severity
Classification
-
CVE CVE-2006-5730 -
CVSS Base Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability
- Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
- A Really Simple Chat Multiple XSS Vulnerabilities
- Apache Continuum Cross Site Scripting Vulnerability