Vulnerability CVE-2006-6112
Published: 2006-12-06   Modified: 2012-02-12

Description:
LifeType 1.0.x and 1.1.x have insufficient access control for all of the PHP scripts under (1) class/ and (2) plugins/, which allows remote attackers to obtain the installation path via a direct request to any of the scripts, as demonstrated by (a) bayesianfilter.class.php and (b) bootstrap.php, which leaks the path in an error message.

See advisories in our WLB2 database:
Topic
Author
Date
Low
LifeType version 1.1.2 Multiple Path Disclosure Vulnerabilities
Jesper Jurcenoks
07.12.2006

Type:

CWE-Other

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Lifetype -> Lifetype 

 References:
http://securityreason.com/securityalert/1980
http://www.lifetype.net/blog.php/lifetype-development-journal/2006/11/30/full_path_disclosure_vulnerability_in_lifetype_1.0.x_and_1.1.x
http://www.netvigilance.com/advisory0008
http://www.securityfocus.com/archive/1/453135/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/30635
Copyright 2024, cxsecurity.com

 

Back to Top