CVE-2006-5432

Name of the Vulnerable Software and Affected Versions phpPowerCards version 2.10

Description The issue allows remote attackers to create or overwrite arbitrary files via several parameters when register globals is enabled. The vulnerable parameters include email[to], email[from], name[to], name[from], picture, comment, and sessionID. This can be exploited to create a new .php file that permits remote file inclusion.

Recommendations For phpPowerCards version 2.10, disable the register globals setting to prevent exploitation. Additionally, restrict access to the db/txt.inc.php file and consider validating and sanitizing user input for the email[to], email[from], name[to], name[from], picture, comment, and sessionID parameters to minimize the risk of arbitrary file creation or overwrite.