Vulnerabilities > CVE-2006-6771 - Remote File Include vulnerability in Irokez CMS 0.7.1

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
irokez
exploit available

Summary

Multiple PHP remote file inclusion vulnerabilities in Irokez CMS 0.7.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[PTH][func] parameter in (a) scripts/gallery.scr.php; the (2) GLOBALS[PTH][spaw] parameter in (b) scripts/xtextarea.scr.php; and the (3) GLOBALS[PTH][classes] parameter in (c) sitemap.scr.php, (d) news.scr.php, (e) polls.scr.php, (f) rss.scr.php, (g) search.scr.php in scripts/, and (h) form.fun.php, (i) general.func.php, (j) groups.func.php, (k) js.func.php, (l) sections.func.php, and (m) users.func.php in functions/. Successful exploitation requires that "register_globals" is enabled.

Vulnerable Configurations

Part Description Count
Application
Irokez
1

Exploit-Db

  • descriptionIrokez CMS <= 0.7.1 Multiple Remote File Include Vulnerabilities. CVE-2006-6771. Webapps exploit for php platform
    fileexploits/php/webapps/3007.txt
    idEDB-ID:3007
    last seen2016-01-31
    modified2006-12-25
    platformphp
    port
    published2006-12-25
    reporternuffsaid
    sourcehttps://www.exploit-db.com/download/3007/
    titleIrokez CMS <= 0.7.1 - Multiple Remote File Include Vulnerabilities
    typewebapps
  • descriptionIrokez Blog 0.7.3.2 Multiple Input Validation Vulnerabilities. CVE-2006-6771. Webapps exploit for php platform
    idEDB-ID:32823
    last seen2016-02-03
    modified2009-02-27
    published2009-02-27
    reporterCorwin
    sourcehttps://www.exploit-db.com/download/32823/
    titleIrokez Blog 0.7.3.2 - Multiple Input Validation Vulnerabilities