CVE-2006-2864

Name of the Vulnerable Software and Affected Versions BlueShoes Framework version 4.6

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in several parameters, including APP[path][applications], APP[path][core], GLOBALS[APP][path][core], and APP[path][plugins]. This is achieved by exploiting remote file inclusion vulnerabilities in various PHP files, such as Bs Faq.class.php, fileBrowserInner.php, file.php, viewer.php, Bs ImageArchive.class.php, Bs Ml User.class.php, and Bs Wse Profile.class.php.

Recommendations For BlueShoes Framework version 4.6, consider disabling the vulnerable parameters, such as APP[path][applications], APP[path][core], GLOBALS[APP][path][core], and APP[path][plugins], to prevent exploitation until a patch is available. Restrict access to the affected PHP files, including Bs Faq.class.php, fileBrowserInner.php, file.php, viewer.php, Bs ImageArchive.class.php, Bs Ml User.class.php, and Bs Wse Profile.class.php, to minimize the risk of arbitrary PHP code execution.