CVE-2006-0660
published 2006-02-13CVE-2006-0660: Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path…
PriorityP428medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
4.62%
90.5th percentile
Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path disclosure via ".." or invalid names in the archive parameter to index.php, or (2) include arbitrary files via the template parameter to show_archives.php.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| farsinews | farsinews | — | — |
| farsinews | farsinews | — | — |
| farsinews | farsinews | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Farsinews 2.5 - Directory Traversal Arbitrary 'users.db' Access
exploitdb·2006-02-28
CVE-2006-0660 Farsinews 2.5 - Directory Traversal Arbitrary 'users.db' Access
Farsinews 2.5 - Directory Traversal Arbitrary 'users.db' Access
---
#!/usr/bin/perl
#
# FarsiNews 2.5pro Show User&Passowrd
# Exploit by Hessam-x (www.hessamx.net)
#
#
######################################################
# ___ ___ __ #
# / | \_____ ____ | | __ ___________________ #
#/ ~ \__ \ _/ ___\| |/ // __ \_ __ \___ / #
#\ Y // __ \\ \___| __|_ \\___ >__| /_____ \ #
# \/ \/ \/ \/ \/ \/ #
# Iran Hackerz Security Team #
# WebSite: www.hackerz.ir #
# #
######################################################
# Description #
# #
# Name : FarsiNews [www.farsinewsteam.com] #
# version : 2.5Pro #
######################################################
# in FarsiNews if you change the archive value :
# http://localhost/index.php?archive=hamid
# see :
# Warning: file([PATH]/data/archives/hami
Exploit-DB
Farsinews 2.1/2.5 - 'show_archives.php?template' Traversal Arbitrary File Access
exploitdb·2006-02-10
CVE-2006-0660 Farsinews 2.1/2.5 - 'show_archives.php?template' Traversal Arbitrary File Access
Farsinews 2.1/2.5 - 'show_archives.php?template' Traversal Arbitrary File Access
---
source: https://www.securityfocus.com/bid/16580/info
FarsiNews is prone to directory-traversal and local file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit the directory-traversal vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process.
The local file-include vulnerability lets the attacker include arbitrary local files. The impact of this issue depends on the content of the files included. If an attacker can place a malicious script on the vulnerable computer (either through legitimate means or through other latent vulnerabilities), then the attacker m
No writeups or analysis indexed.
http://forum.farsinewsteam.com/index.php?showtopic=71http://forum.farsinewsteam.com/index.php?showtopic=76http://secunia.com/advisories/18768http://www.hamid.ir/security/farsinews2-5.txthttp://www.osvdb.org/23020http://www.osvdb.org/23021http://www.osvdb.org/23022http://www.securityfocus.com/archive/1/424720/100/0/threadedhttp://www.securityfocus.com/bid/16580http://www.vupen.com/english/advisories/2006/0506https://exchange.xforce.ibmcloud.com/vulnerabilities/24598https://exchange.xforce.ibmcloud.com/vulnerabilities/24602http://forum.farsinewsteam.com/index.php?showtopic=71http://forum.farsinewsteam.com/index.php?showtopic=76http://secunia.com/advisories/18768http://www.hamid.ir/security/farsinews2-5.txthttp://www.osvdb.org/23020http://www.osvdb.org/23021http://www.osvdb.org/23022http://www.securityfocus.com/archive/1/424720/100/0/threadedhttp://www.securityfocus.com/bid/16580http://www.vupen.com/english/advisories/2006/0506https://exchange.xforce.ibmcloud.com/vulnerabilities/24598https://exchange.xforce.ibmcloud.com/vulnerabilities/24602
2006-02-13
Published