CVE-2006-5220

Name of the Vulnerable Software and Affected Versions WebYep version 1.1.9

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is due to multiple PHP remote file inclusion vulnerabilities in various files, including those in the programm/lib/ directory, such as WYApplication.php, WYDocument.php, WYEditor.php, WYElement.php, WYFile.php, WYHTMLTag.php, WYImage.php, WYLanguage.php, WYLink.php, WYPath.php, WYPopupWindowLink.php, WYSelectMenu.php, and WYTextArea.php, as well as files in the programm/elements/ directory, including WYGalleryElement.php, WYGuestbookElement.php, WYImageElement.php, WYLogonButtonElement.php, WYLongTextElement.php, WYLoopElement.php, WYMenuElement.php, and WYShortTextElement.php, and webyep.php in the programm/ directory. The vulnerability can be exploited via the webyep sIncludePath variable.

Recommendations As a temporary workaround, consider disabling the register globals setting until a patch is available. Restrict access to the vulnerable files in the programm/lib/ and programm/elements/ directories to minimize the risk of exploitation. Avoid using the webyep sIncludePath variable in the affected files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.