CVE-2006-2881 - Multiple PHP remote file inclusion vulnerabilities in DreamAccount 3.1 and earlier, when register_gl

CVE-2006-2881

Summary

Multiple PHP remote file inclusion vulnerabilities in DreamAccount 3.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the da_path parameter in the (1) auth.cookie.inc.php, (2) auth.header.inc.php, or (3) auth.sessions.inc.php scripts.

References

Vulnerable Configurations

cpe:2.3:a:dreamcost:dreamaccount:*:*:*:*:*:*:*:*
cpe:2.3:a:dreamcost:dreamaccount:*:*:*:*:*:*:*:*

CVSS

Base:	5.1 (as of 18-10-2018 - 16:43)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:N/C:P/I:P/A:P

refmap via4

bid	18278
bugtraq	20060605 [MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability 20060606 Re: [MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability
exploit-db	1881
misc	http://www.majorsecurity.de/advisory/major_rls8.txt
osvdb	26168 26169 26170
sectrack	1016272
secunia	20468
sreason	1062
vupen	ADV-2006-2152
xf	dreamaccount-dapath-file-include(26932)

Last major update

18-10-2018 - 16:43

Published

07-06-2006 - 10:02

Last modified

18-10-2018 - 16:43