CVE-2007-1232 - Directory traversal vulnerability in SQLiteManager 1.2.0 allows remote attackers to read arbitrary f

CVE-2007-1232

Summary

Directory traversal vulnerability in SQLiteManager 1.2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in a SQLiteManager_currentTheme cookie. Successful exploitation requires that "magic_quotes_gpc" is disabled. Additionally, in order to exploit this vulnerability to execute arbitrary code, the attacker would first be required to upload a malicious file or inject arbitrary commands into an existing file.

References

Vulnerable Configurations

cpe:2.3:a:sqlite_manager:sqlite_manager:1.2:*:*:*:*:*:*:*
cpe:2.3:a:sqlite_manager:sqlite_manager:1.2:*:*:*:*:*:*:*

CVSS

Base:	5.1 (as of 16-10-2018 - 16:37)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:N/C:P/I:P/A:P

d2sec via4

name	SQLiteManager 1.2.0 LFI
url	http://www.d2sec.com/exploits/sqlitemanager_1.2.0_lfi.html

refmap via4

bid	22727
bugtraq	20070224 SQLiteManager v1.2.0 Multiple Vulnerabilities
osvdb	33801
secunia	24296
sreason	2366
xf	sqlitemanager-sqlitemanager-file-include(32693)

Last major update

16-10-2018 - 16:37

Published

03-03-2007 - 19:19

Last modified

16-10-2018 - 16:37