CVE-2006-3042

Name of the Vulnerable Software and Affected Versions ISPConfig version 2.2.3

Description Multiple PHP remote file inclusion issues allow remote attackers to execute arbitrary PHP code via a URL in the go info[isp][classes root] parameter in server.inc.php, and the go info[server][classes root] parameter in app.inc.php, login.php, and trylogin.php. The vendor has disputed this issue, stating that the original researcher reviewed the installation tarball, which is not identical to the resulting system after installation.

Recommendations For ISPConfig version 2.2.3, consider disabling the go info[isp][classes root] and go info[server][classes root] parameters in the affected files until a patch is available. Restrict access to the vulnerable parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.