CVE-2006-2881

Name of the Vulnerable Software and Affected Versions DreamAccount versions 3.1 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved by providing a URL in the da path parameter within specific scripts, including auth.cookie.inc.php, auth.header.inc.php, and auth.sessions.inc.php.

Recommendations For DreamAccount versions 3.1 and earlier, disable the register globals setting to prevent exploitation. Consider updating the software to a version where this issue is resolved, if available. As a temporary workaround, restrict access to the auth.cookie.inc.php, auth.header.inc.php, and auth.sessions.inc.php scripts to minimize the risk of exploitation. Avoid using the da path parameter in these scripts until the issue is resolved.