CVE-2006-0147

Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/secunia_research/2005-64/advisory/	Exploit Patch Vendor Advisory
http://secunia.com/advisories/17418	Exploit Patch Vendor Advisory
http://secunia.com/advisories/18254	Patch Vendor Advisory
http://secunia.com/advisories/18267	Vendor Advisory
http://secunia.com/advisories/18260	Patch Vendor Advisory
http://secunia.com/advisories/18276	Patch Vendor Advisory
http://secunia.com/advisories/18233	Patch Vendor Advisory
http://www.debian.org/security/2006/dsa-1029	Patch Vendor Advisory
http://www.debian.org/security/2006/dsa-1030	Patch Vendor Advisory
http://www.debian.org/security/2006/dsa-1031
http://secunia.com/advisories/19555	Patch Vendor Advisory
http://secunia.com/advisories/19590	Patch Vendor Advisory
http://secunia.com/advisories/19591	Patch Vendor Advisory
http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html	Exploit
http://retrogod.altervista.org/simplog_092_incl_xpl.html	Exploit
http://secunia.com/advisories/19600	Vendor Advisory
http://secunia.com/advisories/19628	Patch Vendor Advisory
http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml	Patch Vendor Advisory
http://secunia.com/advisories/19691
http://www.vupen.com/english/advisories/2006/1305
http://www.vupen.com/english/advisories/2006/0104
http://www.vupen.com/english/advisories/2006/0102
http://www.vupen.com/english/advisories/2006/1332
http://www.vupen.com/english/advisories/2006/0101
http://www.vupen.com/english/advisories/2006/0103
http://www.osvdb.org/22291
https://exchange.xforce.ibmcloud.com/vulnerabilities/24052
https://www.exploit-db.com/exploits/1663
http://www.securityfocus.com/archive/1/430743/100/0/threaded
http://www.securityfocus.com/archive/1/430448/100/0/threaded

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle:1.5.3:::::::*
	cpe:2.3:a:postnuke_software_foundation:postnuke:0.761:::::::*
	cpe:2.3:a:the_cacti_group:cacti:0.8.6g:::::::*
	cpe:2.3:a:mantis:mantis:0.19.4:::::::*
	cpe:2.3:a:mantis:mantis:1.0.0_rc4:::::::*
	cpe:2.3:a:john_lim:adodb:4.66:::::::*
	cpe:2.3:a:john_lim:adodb:4.68:::::::*

Information

Published : 2006-01-09 15:03

Updated : 2018-10-19 08:42

NVD link : CVE-2006-0147

Mitre link : CVE-2006-0147

JSON object : View

CWE

NVD-CWE-Other

Products Affected

moodle

moodle

the_cacti_group

cacti

john_lim

adodb

postnuke_software_foundation

postnuke

mantis

mantis

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://secunia.com/secunia_research/2005-64/advisory/", "name": "http://secunia.com/secunia_research/2005-64/advisory/", "tags": ["Exploit", "Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "http://secunia.com/advisories/17418", "name": "17418", "tags": ["Exploit", "Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/18254", "name": "18254", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/18267", "name": "18267", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/18260", "name": "18260", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/18276", "name": "18276", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/18233", "name": "18233", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.debian.org/security/2006/dsa-1029", "name": "DSA-1029", "tags": ["Patch", "Vendor Advisory"], "refsource": "DEBIAN"}, {"url": "http://www.debian.org/security/2006/dsa-1030", "name": "DSA-1030", "tags": ["Patch", "Vendor Advisory"], "refsource": "DEBIAN"}, {"url": "http://www.debian.org/security/2006/dsa-1031", "name": "DSA-1031", "tags": [], "refsource": "DEBIAN"}, {"url": "http://secunia.com/advisories/19555", "name": "19555", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/19590", "name": "19590", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/19591", "name": "19591", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html", "name": "http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://retrogod.altervista.org/simplog_092_incl_xpl.html", "name": "http://retrogod.altervista.org/simplog_092_incl_xpl.html", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://secunia.com/advisories/19600", "name": "19600", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/19628", "name": "19628", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml", "name": "GLSA-200604-07", "tags": ["Patch", "Vendor Advisory"], "refsource": "GENTOO"}, {"url": "http://secunia.com/advisories/19691", "name": "19691", "tags": [], "refsource": "SECUNIA"}, {"url": "http://www.vupen.com/english/advisories/2006/1305", "name": "ADV-2006-1305", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/0104", "name": "ADV-2006-0104", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/0102", "name": "ADV-2006-0102", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/1332", "name": "ADV-2006-1332", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/0101", "name": "ADV-2006-0101", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/0103", "name": "ADV-2006-0103", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.osvdb.org/22291", "name": "22291", "tags": [], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24052", "name": "adodb-tmssql-command-execution(24052)", "tags": [], "refsource": "XF"}, {"url": "https://www.exploit-db.com/exploits/1663", "name": "1663", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/archive/1/430743/100/0/threaded", "name": "20060412 Simplog <=0.9.2 multiple vulnerabilities", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/430448/100/0/threaded", "name": "20060409 PhpOpenChat 3.0.x ADODB Server.php \"sql\" SQL injection", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-0147", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2006-01-09T23:03Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:moodle:moodle:1.5.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:postnuke_software_foundation:postnuke:0.761:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:the_cacti_group:cacti:0.8.6g:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mantis:mantis:0.19.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mantis:mantis:1.0.0_rc4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:john_lim:adodb:4.66:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:john_lim:adodb:4.68:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-19T15:42Z"}

7.5 /10