CVE-2006-3193

Name of the Vulnerable Software and Affected Versions Grayscale BandSite CMS version 1.1.1

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the root path parameter to multiple files, including (1) includes/content/contact content.php, and several files in adminpanel/includes/add forms/, such as (2) addbioform.php, (3) addfliersform.php, (4) addgenmerchform.php, (5) addinterviewsform.php, (6) addlinksform.php, (7) addlyricsform.php, (8) addmembioform.php, (9) addmerchform.php, (10) addmerchpicform.php, (11) addnewsform.php, (12) addphotosform.php, (13) addreleaseform.php, (14) addreleasepicform.php, (15) addrelmerchform.php, (16) addreviewsform.php, (17) addshowsform.php, (18) addwearmerchform.php, as well as (19) adminpanel/includes/mailinglist/disphtmltbl.php and (20) adminpanel/includes/mailinglist/dispxls.php. This can occur when register globals is enabled.

Recommendations For Grayscale BandSite CMS version 1.1.1, consider disabling the root path parameter or restricting its use until a patch is available. Additionally, disabling register globals can help mitigate the risk of exploitation. As a temporary workaround, restrict access to the vulnerable files in the adminpanel/includes/add forms/ directory and the mailinglist directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.