Vulnerability CVE-2006-2005


Published: 2006-04-25   Modified: 2012-02-12

Description:
Eval injection vulnerability in index.php in ClanSys 1.1 allows remote attackers to execute arbitrary PHP code via PHP code in the page parameter, as demonstrated by using an "include" statement that is injected into the eval statement. NOTE: this issue has been described as file inclusion by some sources, but that is just one attack; the primary vulnerability is eval injection.

See advisories in our WLB2 database:
Topic
Author
Date
High
Clansys <= 1.1 PHP Code Insertion Vulnerability.
Mustafa Can Bjor...
26.04.2006

Type:

CWE-Other

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Clansys -> Clansys 

 References:
http://securityreason.com/securityalert/782
http://securitytracker.com/id?1015988
http://www.nukedx.com/?getxpl=29
http://www.securityfocus.com/archive/1/431873/100/0/threaded
http://www.securityfocus.com/bid/17660
https://exchange.xforce.ibmcloud.com/vulnerabilities/25976

Copyright 2024, cxsecurity.com

 

Back to Top