Details of VAR-200608-0515

ID

VAR-200608-0515

CVE

CVE-2006-4026

TITLE

SAPID CMS In PHP Remote file inclusion vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2006-002994

DESCRIPTION

PHP remote file inclusion vulnerability in SAPID CMS 123 rc3 allows remote attackers to execute arbitrary PHP code via a URL in the (1) root_path parameter in usr/extensions/get_infochannel.inc.php and the (2) GLOBALS["root_path"] parameter in usr/extensions/get_tree.inc.php. (1) usr/extensions/get_infochannel.inc.php of root_path Parameters (2) usr/extensions/get_tree.inc.php of GLOBALS["root_path"] Parameters. Multiple SAPID applications are prone to multiple remote file-include vulnerabilities. These may facilitate a compromise of the application and the underlying system; other attacks are also possible. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: SAPID CMS "root_path" File Inclusion Vulnerability SECUNIA ADVISORY ID: SA21410 VERIFY ADVISORY: http://secunia.com/advisories/21410/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: SAPID CMS 1.x http://secunia.com/product/6323/ DESCRIPTION: Simo64 has discovered some vulnerabilities in SAPID CMS, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "root_path" parameter in usr/extensions/get_infochannel.inc.php and usr/extensions/get_tree.inc.php is not properly verified before being used to include files. Successful exploitation requires that "register_globals" is enabled. The vulnerabilities have been confirmed in version 1.2.3 Stable and 1.2.3 RC3. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly verified. PROVIDED AND/OR DISCOVERED BY: Simo64 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2006-4026 // JVNDB: JVNDB-2006-002994 // BID: 19383 // PACKETSTORM: 48862

AFFECTED PRODUCTS

vendor:	redgraphic	model:	sapid cms	scope:	eq	version:	1.2.3	Trust: 1.6
vendor:	red graphic	model:	sapid cms	scope:	eq	version:	123 rc3	Trust: 0.8
vendor:	sapid	model:	shop	scope:	eq	version:	1.2	Trust: 0.3
vendor:	sapid	model:	gallery	scope:	eq	version:	1	Trust: 0.3
vendor:	sapid	model:	cms rc5	scope:	eq	version:	1.2.3	Trust: 0.3
vendor:	sapid	model:	cms rc3	scope:	eq	version:	1.2.3	Trust: 0.3
vendor:	sapid	model:	cms rc2	scope:	eq	version:	1.2.3	Trust: 0.3
vendor:	sapid	model:	cms	scope:	eq	version:	1.2.3	Trust: 0.3
vendor:	sapid	model:	blog beta	scope:	eq	version:	2	Trust: 0.3

sources: BID: 19383 // JVNDB: JVNDB-2006-002994 // CNNVD: CNNVD-200608-106 // NVD: CVE-2006-4026

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-4026
value:	HIGH
Trust: 1.0
NVD:	CVE-2006-4026
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200608-106
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2006-4026
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2006-002994 // CNNVD: CNNVD-200608-106 // NVD: CVE-2006-4026

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2006-002994 // NVD: CVE-2006-4026

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200608-106

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-200608-106

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-002994

PATCH

title:

SAPID CMS

url:

http://sapid.sourceforge.net/

Trust: 0.8

sources: JVNDB: JVNDB-2006-002994

EXTERNAL IDS

db:	NVD	id:	CVE-2006-4026	Trust: 2.4
db:	BID	id:	19383	Trust: 1.9
db:	SECUNIA	id:	21410	Trust: 1.7
db:	EXPLOIT-DB	id:	2128	Trust: 1.6
db:	VUPEN	id:	ADV-2006-3191	Trust: 1.6
db:	SECTRACK	id:	1016650	Trust: 1.6
db:	SREASON	id:	1346	Trust: 1.6
db:	JVNDB	id:	JVNDB-2006-002994	Trust: 0.8
db:	BUGTRAQ	id:	20060807 SAPID CMS REMOTE FILE INCLUSION VULNERABILITIES	Trust: 0.6
db:	MILW0RM	id:	2128	Trust: 0.6
db:	XF	id:	28250	Trust: 0.6
db:	CNNVD	id:	CNNVD-200608-106	Trust: 0.6
db:	PACKETSTORM	id:	48862	Trust: 0.1

sources: BID: 19383 // JVNDB: JVNDB-2006-002994 // PACKETSTORM: 48862 // CNNVD: CNNVD-200608-106 // NVD: CVE-2006-4026

REFERENCES

url:	http://www.securityfocus.com/bid/19383	Trust: 1.6
url:	http://secunia.com/advisories/21410	Trust: 1.6
url:	http://securitytracker.com/id?1016650	Trust: 1.6
url:	http://securityreason.com/securityalert/1346	Trust: 1.6
url:	http://www.securityfocus.com/archive/1/442425/100/0/threaded	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2006/3191	Trust: 1.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/28250	Trust: 1.0
url:	https://www.exploit-db.com/exploits/2128	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-4026	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-4026	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/28250	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/442425/100/0/threaded	Trust: 0.6
url:	http://www.milw0rm.com/exploits/2128	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2006/3191	Trust: 0.6
url:	http://milw0rm.com/exploits/2128	Trust: 0.6
url:	http://sourceforge.net/project/showfiles.php?group_id=118100	Trust: 0.3
url:	/archive/1/442425	Trust: 0.3
url:	http://secunia.com/product/6323/	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/21410/	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: BID: 19383 // JVNDB: JVNDB-2006-002994 // PACKETSTORM: 48862 // CNNVD: CNNVD-200608-106 // NVD: CVE-2006-4026

CREDITS

Simo64 and Kacper are credited with the discovery of these vulnerabilities.

Trust: 0.9

sources: BID: 19383 // CNNVD: CNNVD-200608-106

SOURCES

db:	BID	id:	19383
db:	JVNDB	id:	JVNDB-2006-002994
db:	PACKETSTORM	id:	48862
db:	CNNVD	id:	CNNVD-200608-106
db:	NVD	id:	CVE-2006-4026

LAST UPDATE DATE

2024-08-14T14:08:26.666000+00:00

SOURCES UPDATE DATE

db:	BID	id:	19383	date:	2006-08-08T04:06:00
db:	JVNDB	id:	JVNDB-2006-002994	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200608-106	date:	2006-08-18T00:00:00
db:	NVD	id:	CVE-2006-4026	date:	2018-10-17T21:32:59.690

SOURCES RELEASE DATE

db:	BID	id:	19383	date:	2006-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2006-002994	date:	2012-12-20T00:00:00
db:	PACKETSTORM	id:	48862	date:	2006-08-10T00:40:54
db:	CNNVD	id:	CNNVD-200608-106	date:	2006-08-08T00:00:00
db:	NVD	id:	CVE-2006-4026	date:	2006-08-09T00:04:00