CVE-2006-5432 - Vulnerability Details - OpenCVE

Description

Multiple direct static code injection vulnerabilities in db/txt.inc.php in phpPowerCards 2.10, when register_globals is enabled, allow remote attackers to create or overwrite arbitrary files via the (1) email[to], (2) email[from], (3) name[to], (4) name[from], (5) picture, (6) comment, or (7) sessionID parameter, as demonstrated by creating a new .php file that permits remote file inclusion, and then requesting this file.

Published: 2006-10-20

Score: 2.6 Low

EPSS: 11.8% Moderate

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:marc_giombetti:phppowercards:2.10:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.11826.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://secunia.com/advisories/22471
http://www.osvdb.org/29840
http://www.securityfocus.com/bid/20620
http://www.vupen.com/english/advisories/2006/4105
https://exchange.xforce.ibmcloud.com/vulnerabilities/29669
https://www.exploit-db.com/exploits/2590

History

No history.

Subscriptions

Marc Giombetti Phppowercards

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-10-20T23:00:00.000Z

Updated: 2024-08-07T19:48:30.202Z

Reserved: 2006-10-20T00:00:00.000Z

Link: CVE-2006-5432

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-10-20T23:07:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2006-5432

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-10-18T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Multiple direct static code injection vulnerabilities in db/txt.inc.php in phpPowerCards 2.10, when register_globals is enabled, allow remote attackers to create or overwrite arbitrary files via the (1) email[to], (2) email[from], (3) name[to], (4) name[from], (5) picture, (6) comment, or (7) sessionID parameter, as demonstrated by creating a new .php file that permits remote file inclusion, and then requesting this file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-18T16:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20620", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/20620"}, {"name": "ADV-2006-4105", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/4105"}, {"name": "phppowercards-txt-code-execution(29669)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29669"}, {"name": "29840", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/29840"}, {"name": "2590", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/2590"}, {"name": "22471", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/22471"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-5432", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple direct static code injection vulnerabilities in db/txt.inc.php in phpPowerCards 2.10, when register_globals is enabled, allow remote attackers to create or overwrite arbitrary files via the (1) email[to], (2) email[from], (3) name[to], (4) name[from], (5) picture, (6) comment, or (7) sessionID parameter, as demonstrated by creating a new .php file that permits remote file inclusion, and then requesting this file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20620", "refsource": "BID", "url": "http://www.securityfocus.com/bid/20620"}, {"name": "ADV-2006-4105", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/4105"}, {"name": "phppowercards-txt-code-execution(29669)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29669"}, {"name": "29840", "refsource": "OSVDB", "url": "http://www.osvdb.org/29840"}, {"name": "2590", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/2590"}, {"name": "22471", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/22471"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T19:48:30.202Z"}, "title": "CVE Program Container", "references": [{"name": "20620", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/20620"}, {"name": "ADV-2006-4105", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/4105"}, {"name": "phppowercards-txt-code-execution(29669)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29669"}, {"name": "29840", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/29840"}, {"name": "2590", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/2590"}, {"name": "22471", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/22471"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-5432", "datePublished": "2006-10-20T23:00:00.000Z", "dateReserved": "2006-10-20T00:00:00.000Z", "dateUpdated": "2024-08-07T19:48:30.202Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:marc_giombetti:phppowercards:2.10:*:*:*:*:*:*:*", "matchCriteriaId": "8E6444D8-3351-4A60-A320-675E16132471", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple direct static code injection vulnerabilities in db/txt.inc.php in phpPowerCards 2.10, when register_globals is enabled, allow remote attackers to create or overwrite arbitrary files via the (1) email[to], (2) email[from], (3) name[to], (4) name[from], (5) picture, (6) comment, or (7) sessionID parameter, as demonstrated by creating a new .php file that permits remote file inclusion, and then requesting this file."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n de c\u00f3digo est\u00e1tico directo en db/txt.inc.php en phpPowerCards 2.10, cuando register_globals est\u00e1 habilitado, permite a un atacante remoto crear o sobreescribir archivos de su elecci\u00f3n a trav\u00e9s de los par\u00e1metros (1) email[to], (2) email[from], (3) name[to], (4) name[from], (5) picture, (6) comment, o (7) sessionID, como se demostr\u00f3 con la creaci\u00f3n de un nuevo archivo .php que permite la inclusi\u00f3n de archivos remotos, y la respuesta de este archivo."}], "id": "CVE-2006-5432", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-10-20T23:07:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/22471"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/29840"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/20620"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/4105"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29669"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/2590"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/22471"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/29840"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/20620"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2006/4105"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29669"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.exploit-db.com/exploits/2590"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}