CVE-2006-5832

Name of the Vulnerable Software and Affected Versions: All In One Control Panel (AIOCP) versions 1.3.007 and earlier

Description: The issue allows remote attackers to obtain the full path of the web server via certain requests to specific API endpoints, including "public/code/cp dpage.php", "public/code/cp show ec products.php", and "public/code/cp show page help.php". The aiocp dp[] parameter in "public/code/cp dpage.php", the order field[] parameter in "public/code/cp show ec products.php", and the hp[] parameter in "public/code/cp show page help.php" may be involved, as they reveal the path in various error messages.

Recommendations: For All In One Control Panel (AIOCP) versions 1.3.007 and earlier, consider restricting access to the affected API endpoints "public/code/cp dpage.php", "public/code/cp show ec products.php", and "public/code/cp show page help.php" until a patch is available. As a temporary workaround, avoid using the parameters aiocp dp[], order field[], and hp[] in the respective endpoints to minimize the risk of exploitation.