CVE-2006-2686

Name of the Vulnerable Software and Affected Versions ActionApps version 2.8.1

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[AA INC PATH] parameter in multiple files, including cached.php3, cron.php3, discussion.php3, filldisc.php3, filler.php3, fillform.php3, go.php3, hiercons.php3, jsview.php3, live checkbox.php3, offline.php3, post2shtml.php3, search.php3, slice.php3, sql update.php3, view.php3, and multiple files in the admin/, includes, and modules/ folders.

Recommendations For ActionApps version 2.8.1, consider restricting access to the GLOBALS[AA INC PATH] parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the GLOBALS[AA INC PATH] parameter in the affected files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.