PT-2006-2819 · Php · Php121

Rgod

Published

2006-04-19

Updated

2017-10-19

CVE-2006-1828

CVSS v2.0

5.1

Medium

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PHP121 version 1.4

Description The issue allows remote attackers to execute arbitrary SQL commands and potentially execute arbitrary code. This is achieved via the sess username variable, which is set by the php121un HTTP COOKIE parameter. The parameter is used in multiple files, including php121login.php. The code execution occurs because the SQL query results are used in an include statement.

Recommendations For PHP121 version 1.4, consider restricting access to the php121un HTTP COOKIE parameter and the sess username variable to minimize the risk of exploitation. As a temporary workaround, avoid using the sess username variable in SQL queries until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-1828

Affected Products

Php121

PT-2006-2819 · Php · Php121

CVE-2006-1828

Related Identifiers

Affected Products

References · 9