CVE-2006-2516

mainfile.php in XOOPS 2.0.13.2 and earlier, when register_globals is enabled, allows remote attackers to overwrite variables such as $xoopsOption['nocommon'] and conduct directory traversal attacks or include PHP files via (1) xoopsConfig[language] to misc.php or (2) xoopsConfig[theme_set] to index.php, as demonstrated by injecting PHP sequences into a log file.
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xoops:xoops:2.0:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:*:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.12_jp:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.13.1:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:xoops:xoops:2.0.10:*:*:*:*:*:*:*

Information

Published : 2006-05-22 15:02

Updated : 2018-10-18 09:40


NVD link : CVE-2006-2516

Mitre link : CVE-2006-2516


JSON object : View

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Advertisement

dedicated server usa

Products Affected

xoops

  • xoops