PT-2006-6151 · Phppowercards · Phppowercards

Nuffsaid

Published

2006-10-20

Updated

2017-10-19

CVE-2006-5432

CVSS v2.0

2.6

Low

Vector

AV:N/AC:H/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions phpPowerCards version 2.10

Description The issue allows remote attackers to create or overwrite arbitrary files via several parameters when register globals is enabled. The vulnerable parameters include email[to], email[from], name[to], name[from], picture, comment, and sessionID. This can be exploited to create a new .php file that permits remote file inclusion.

Recommendations For phpPowerCards version 2.10, disable the register globals setting to prevent exploitation. Additionally, restrict access to the db/txt.inc.php file and consider validating and sanitizing user input for the email[to], email[from], name[to], name[from], picture, comment, and sessionID parameters to minimize the risk of arbitrary file creation or overwrite.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-5432

Affected Products

Phppowercards

PT-2006-6151 · Phppowercards · Phppowercards

CVE-2006-5432

Related Identifiers

Affected Products

References · 7