CVE-2006-2005

Eval injection vulnerability in index.php in ClanSys 1.1 allows remote attackers to execute arbitrary PHP code via PHP code in the page parameter, as demonstrated by using an "include" statement that is injected into the eval statement. NOTE: this issue has been described as file inclusion by some sources, but that is just one attack; the primary vulnerability is eval injection.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.nukedx.com/?getxpl=29	Exploit
http://www.securityfocus.com/bid/17660
http://securitytracker.com/id?1015988	Exploit
http://www.osvdb.org/25083
http://securityreason.com/securityalert/782
https://exchange.xforce.ibmcloud.com/vulnerabilities/25976
http://www.securityfocus.com/archive/1/431873/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:clansys:clansys:1.1:*:*:*:*:*:*:*

Information

Published : 2006-04-25 05:50

Updated : 2018-10-18 09:37

NVD link : CVE-2006-2005

Mitre link : CVE-2006-2005

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

clansys

clansys

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.nukedx.com/?getxpl=29", "name": "http://www.nukedx.com/?getxpl=29", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/17660", "name": "17660", "tags": [], "refsource": "BID"}, {"url": "http://securitytracker.com/id?1015988", "name": "1015988", "tags": ["Exploit"], "refsource": "SECTRACK"}, {"url": "http://www.osvdb.org/25083", "name": "25083", "tags": [], "refsource": "OSVDB"}, {"url": "http://securityreason.com/securityalert/782", "name": "782", "tags": [], "refsource": "SREASON"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25976", "name": "clansys-index-file-include(25976)", "tags": [], "refsource": "XF"}, {"url": "http://www.securityfocus.com/archive/1/431873/100/0/threaded", "name": "20060423 Advisory: Clansys <= 1.1 PHP Code Insertion Vulnerability.", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Eval injection vulnerability in index.php in ClanSys 1.1 allows remote attackers to execute arbitrary PHP code via PHP code in the page parameter, as demonstrated by using an \"include\" statement that is injected into the eval statement. NOTE: this issue has been described as file inclusion by some sources, but that is just one attack; the primary vulnerability is eval injection."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-2005", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2006-04-25T12:50Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:clansys:clansys:1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-18T16:37Z"}