CVE-2006-6771

Name of the Vulnerable Software and Affected Versions: Irokez CMS versions 0.7.1 and earlier

Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in certain parameters when register globals is enabled. This is possible through the GLOBALS[PTH][func] parameter in "scripts/gallery.scr.php", the GLOBALS[PTH][spaw] parameter in "scripts/xtextarea.scr.php", and the GLOBALS[PTH][classes] parameter in several other scripts, including "sitemap.scr.php", "news.scr.php", "polls.scr.php", "rss.scr.php", "search.scr.php" in the scripts directory, and various files in the functions directory.

Recommendations: For Irokez CMS versions 0.7.1 and earlier, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the vulnerable parameters GLOBALS[PTH][func], GLOBALS[PTH][spaw], and GLOBALS[PTH][classes] in the affected scripts until a patch is available. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.