PT-2006-3871 · Xtreme Scripts · Xtreme Scripts Download Manager

Black Code

Published

2006-06-12

Updated

2018-10-18

CVE-2006-2964

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Xtreme Scripts Download Manager version 1.0

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the root parameter in several PHP files, including "download.php", "manager.php", "admin/scripts/category.php", "includes/add allow.php", "admin/index.php", and "admin/admin/login.php".

Recommendations For Xtreme Scripts Download Manager version 1.0, consider disabling the root parameter in the affected PHP files until a patch is available. Restrict access to the vulnerable PHP files to minimize the risk of exploitation. Avoid using the root parameter in the affected API endpoints until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-2964

Affected Products

Xtreme Scripts Download Manager

PT-2006-3871 · Xtreme Scripts · Xtreme Scripts Download Manager

CVE-2006-2964

Related Identifiers

Affected Products

References · 11