PhpMyAgenda Version 3.0 File Inclusion Vulnerability Network Vulnerability

Summary

The remote web server contains a PHP application that is prone to remote and local file inclusions attacks. Description : phpMyAgenda is installed on the remote system. It's an open source event management system written in PHP. The application does not sanitize the 'rootagenda' parameter in some of it's files. This allows an attacker to include arbitrary files from remote systems and parse them with privileges of the account under which the web server is started. This vulnerability exists if PHP's 'register_globals' & 'magic_quotes_gpc' are both enabled for the local file inclusions flaw. And if 'allow_url_fopen' is also enabled remote file inclusions are also possible.

Solution

No patch information provided at this time. Disable PHP's 'register_globals'

References

http://www.securityfocus.com/archive/1/431862/30/0/threaded

Updated on 2015-03-25

Severity

Classification

CVE CVE-2006-2009

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

ActualAnalyzer Lite 'ant' Cookie Parameter Remote Command Execution Vulnerability
Admin News Tools Multiple Vulnerabilities
Advanced Guestbook Index.PHP SQL Injection Vulnerability
Apache Struts ClassLoader Manipulation Vulnerabilities
Baby Gekko CMS Multiple Vulnerabilities

phpMyAgenda version 3.0 File Inclusion Vulnerability

Take action and discover your vulnerabilities