Vulnerabilities > CVE-2006-2866 - Remote File Include vulnerability in DotClear Prepend.PHP
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
PHP remote file inclusion vulnerability in layout/prepend.php in DotClear 1.2.4 and earlier allows remote attackers to execute arbitrary PHP code via a FTP URL in the blog_dc_path parameter, which passes file_exists() and is_dir() tests on PHP 5.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
| description | DotClear <= 1.2.4 (prepend.php) Arbitrary Remote Inclusion Exploit. CVE-2006-2866. Webapps exploit for php platform |
| id | EDB-ID:1869 |
| last seen | 2016-01-31 |
| modified | 2006-06-03 |
| published | 2006-06-03 |
| reporter | rgod |
| source | https://www.exploit-db.com/download/1869/ |
| title | DotClear <= 1.2.4 prepend.php Arbitrary Remote Inclusion Exploit |
References
- http://retrogod.altervista.org/dotclear_124_php5_xpl.html
- http://secunia.com/advisories/20437
- http://securityreason.com/securityalert/1053
- http://www.securityfocus.com/archive/1/435873/100/0/threaded
- http://www.securityfocus.com/bid/18259
- http://www.vupen.com/english/advisories/2006/2137
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26917