CVE-2006-4656

Properties

Published:
07.09.2006
Updated:
30.11.2006
Patch available:
Severity:
High
CVSS vector:
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
Product:
Web-Provence: SL_Site

Vulnerability description

PHP remote file inclusion vulnerability in admin/editeur/spaw_control.class.php in Web Provence SL_Site 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter.  NOTE: CVE analysis suggests that this issue is actually in a third party product, SPAW Editor PHP Edition.

References:

BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/445520/100/0/threaded
http://www.milw0rm.com/exploits/2317: http://www.milw0rm.com/exploits/2317
BID: http://www.securityfocus.com/bid/19892
XF: http://xforce.iss.net/xforce/xfdb/28783
SECTRACK: http://securitytracker.com/id?1016814
http://spaw.cvs.sourceforge.net/spaw/spaw/docs/ChangeLog.txt?view=markup: http://spaw.cvs.sourceforge.net/spaw/spaw/docs/ChangeLog.txt?view=markup
http://spaw.cvs.sourceforge.net/spaw/spaw/spaw_control.class.php?r1=1.19&r2=1.20: http://spaw.cvs.sourceforge.net/spaw/spaw/spaw_control.class.php?r1=1.19&r2=1.20
http://spaw.cvs.sourceforge.net/spaw/spaw/spaw_control.class.php?r1=1.25&r2=1.26: http://spaw.cvs.sourceforge.net/spaw/spaw/spaw_control.class.php?r1=1.25&r2=1.26