CVE-2006-3266

Name of the Vulnerable Software and Affected Versions Bee-hive Lite versions 1.2 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This can be achieved via several parameters and files, including the header parameter to "/conad/include/rootGui.inc.php" and "/include/rootGui.inc.php", the mysqlCall parameter to various files such as "/conad/changeEmail.inc.php", "/conad/changeUserDetails.inc.php", "/conad/checkPasswd.inc.php", "/conad/login.inc.php", and "/conad/logout.inc.php", the mysqlcall parameter to "/include/listall.inc.php", the prefix parameter to "/show/index.php", and the config parameter to "/conad/include/mysqlCall.inc.php".

Recommendations For Bee-hive Lite versions 1.2 and earlier, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the vulnerable files, such as "/conad/include/rootGui.inc.php", "/include/rootGui.inc.php", "/conad/changeEmail.inc.php", "/conad/changeUserDetails.inc.php", "/conad/checkPasswd.inc.php", "/conad/login.inc.php", "/conad/logout.inc.php", "/include/listall.inc.php", "/show/index.php", and "/conad/include/mysqlCall.inc.php", until a patch is available. Avoid using the header, mysqlCall, mysqlcall, prefix, and config parameters in the affected files until the issue is resolved.