Vulnerability Details : CVE-2006-3042
Multiple PHP remote file inclusion vulnerabilities in ISPConfig 2.2.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) go_info[isp][classes_root] parameter in (a) server.inc.php, and the (2) go_info[server][classes_root] parameter in (b) app.inc.php, (c) login.php, and (d) trylogin.php. NOTE: this issue has been disputed by the vendor, who states that the original researcher "reviewed the installation tarball that is not identical with the resulting system after installtion. The file, where the $go_info array is declared ... is created by the installer.
Vulnerability category: File inclusion
Exploit prediction scoring system (EPSS) score for CVE-2006-3042
Probability of exploitation activity in the next 30 days: 8.56%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 94 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2006-3042
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2006-3042
-
http://securityreason.com/securityalert/1098
ISPConfig 2.2.3, File inclusion vulnerability - CXSecurity.com
-
http://www.osvdb.org/27474
404 Not Found
-
http://www.securityfocus.com/archive/1/437415/100/100/threaded
-
http://www.securityfocus.com/archive/1/437117/100/0/threaded
-
http://www.securityfocus.com/bid/18441
Exploit
Products affected by CVE-2006-3042
- cpe:2.3:a:ispconfig:ispconfig:2.2.3:*:*:*:*:*:*:*