CVE-2006-4548
Vulnerability from cvelistv5
Published
2006-09-06 00:00
Modified
2024-08-07 19:14
Severity ?
Summary
e107 0.75 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code via the tinyMCE_imglib_include image/jpeg parameter in e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php, as demonstrated by a multipart/form-data request. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in e107.
References
cve@mitre.orghttp://retrogod.altervista.org/e107_075_xpl.htmlExploit
cve@mitre.orghttp://securityreason.com/securityalert/1497
cve@mitre.orghttp://www.securityfocus.com/archive/1/444644/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://retrogod.altervista.org/e107_075_xpl.htmlExploit
af854a3a-2127-422b-91ae-364da2661108http://securityreason.com/securityalert/1497
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/444644/100/0/threaded
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T19:14:47.612Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://retrogod.altervista.org/e107_075_xpl.html"
          },
          {
            "name": "20060829 e107 \u003c= 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands execution",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/444644/100/0/threaded"
          },
          {
            "name": "1497",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/1497"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2006-08-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "e107 0.75 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter\u0027s hash value, which allows remote attackers to execute arbitrary PHP code via the tinyMCE_imglib_include image/jpeg parameter in e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php, as demonstrated by a multipart/form-data request.  NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in e107."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-17T20:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://retrogod.altervista.org/e107_075_xpl.html"
        },
        {
          "name": "20060829 e107 \u003c= 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands execution",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/444644/100/0/threaded"
        },
        {
          "name": "1497",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/1497"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2006-4548",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "e107 0.75 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter\u0027s hash value, which allows remote attackers to execute arbitrary PHP code via the tinyMCE_imglib_include image/jpeg parameter in e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php, as demonstrated by a multipart/form-data request.  NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in e107."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://retrogod.altervista.org/e107_075_xpl.html",
              "refsource": "MISC",
              "url": "http://retrogod.altervista.org/e107_075_xpl.html"
            },
            {
              "name": "20060829 e107 \u003c= 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands execution",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/444644/100/0/threaded"
            },
            {
              "name": "1497",
              "refsource": "SREASON",
              "url": "http://securityreason.com/securityalert/1497"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2006-4548",
    "datePublished": "2006-09-06T00:00:00",
    "dateReserved": "2006-09-05T00:00:00",
    "dateUpdated": "2024-08-07T19:14:47.612Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:e107:e107:0.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"70AB914E-D616-45D2-A451-1C247B8B6E4C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:e107:e107:0.7.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CA03C1AC-97EA-47ED-9558-A7CA48420AB2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:e107:e107:0.7.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"32695A82-B042-46B7-9CB4-20F3446E0C9E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:e107:e107:0.7.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6716A040-0CBE-4402-AB2A-1621B1240B0F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:e107:e107:0.7.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"81627355-AB45-4D47-8DD2-4087E6971EF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:e107:e107:0.7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D2DAAA4F-B893-4914-8538-E68DDA211225\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"e107 0.75 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter\u0027s hash value, which allows remote attackers to execute arbitrary PHP code via the tinyMCE_imglib_include image/jpeg parameter in e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php, as demonstrated by a multipart/form-data request.  NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in e107.\"}, {\"lang\": \"es\", \"value\": \"e107 0.75 y anteriores no se asignan correctamente variables cuando los datos de entrada incluyen un par\\u00e1metro num\\u00e9rico con un valor que empareja el valor del hash de un par\\u00e1metro alfanum\\u00e9rico, lo que permite a un atacante remoto ejecutar c\\u00f3digo PHP de su elecci\\u00f3n a trav\\u00e9s del par\\u00e1metro tinyMCE_imglib_include image/jpeg en e107_handlers/tiny_mce/plugins/ibrowser/ibrowser como se demostr\\u00f3 por una petici\\u00f3n a multipart/form-data. NOTA: podr\\u00eda ser discutido que esta vulnerabilidad se deba a un fallo en la desasignaci\\u00f3n del comando de PHP (CVE-2006-3017) y el arreglo apropiado debe estar en PHP; si es as\\u00ed entonces esto no se debe tratar como vulnerabilidad en e107.\"}]",
      "id": "CVE-2006-4548",
      "lastModified": "2024-11-21T00:16:13.520",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": true, \"userInteractionRequired\": false}]}",
      "published": "2006-09-06T00:04:00.000",
      "references": "[{\"url\": \"http://retrogod.altervista.org/e107_075_xpl.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://securityreason.com/securityalert/1497\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/archive/1/444644/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://retrogod.altervista.org/e107_075_xpl.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://securityreason.com/securityalert/1497\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/444644/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2006-4548\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2006-09-06T00:04:00.000\",\"lastModified\":\"2024-11-21T00:16:13.520\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"e107 0.75 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter\u0027s hash value, which allows remote attackers to execute arbitrary PHP code via the tinyMCE_imglib_include image/jpeg parameter in e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php, as demonstrated by a multipart/form-data request.  NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in e107.\"},{\"lang\":\"es\",\"value\":\"e107 0.75 y anteriores no se asignan correctamente variables cuando los datos de entrada incluyen un par\u00e1metro num\u00e9rico con un valor que empareja el valor del hash de un par\u00e1metro alfanum\u00e9rico, lo que permite a un atacante remoto ejecutar c\u00f3digo PHP de su elecci\u00f3n a trav\u00e9s del par\u00e1metro tinyMCE_imglib_include image/jpeg en e107_handlers/tiny_mce/plugins/ibrowser/ibrowser como se demostr\u00f3 por una petici\u00f3n a multipart/form-data. NOTA: podr\u00eda ser discutido que esta vulnerabilidad se deba a un fallo en la desasignaci\u00f3n del comando de PHP (CVE-2006-3017) y el arreglo apropiado debe estar en PHP; si es as\u00ed entonces esto no se debe tratar como vulnerabilidad en e107.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":true,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:e107:e107:0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"70AB914E-D616-45D2-A451-1C247B8B6E4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:e107:e107:0.7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA03C1AC-97EA-47ED-9558-A7CA48420AB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:e107:e107:0.7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32695A82-B042-46B7-9CB4-20F3446E0C9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:e107:e107:0.7.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6716A040-0CBE-4402-AB2A-1621B1240B0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:e107:e107:0.7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"81627355-AB45-4D47-8DD2-4087E6971EF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:e107:e107:0.7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2DAAA4F-B893-4914-8538-E68DDA211225\"}]}]}],\"references\":[{\"url\":\"http://retrogod.altervista.org/e107_075_xpl.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://securityreason.com/securityalert/1497\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/444644/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://retrogod.altervista.org/e107_075_xpl.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://securityreason.com/securityalert/1497\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/444644/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.