CVE-2006-0660

Farsinews - Path Traversal

Title source: rule

Description

Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path disclosure via ".." or invalid names in the archive parameter to index.php, or (2) include arbitrary files via the template parameter to show_archives.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Hessam-x · perlwebappsphp

https://www.exploit-db.com/exploits/1538

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by Hamid Ebadi · textwebappsphp

https://www.exploit-db.com/exploits/27183

View Code ZIP pw:eip

References (12)

[Various Sources] http://forum.farsinewsteam.com/index.php?showtopic=76

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/24598

[Third Party Advisory] http://www.vupen.com/english/advisories/2006/0506

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/24602

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/424720/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.osvdb.org/23020

[Exploit] http://www.securityfocus.com/bid/16580

[Various Sources] http://forum.farsinewsteam.com/index.php?showtopic=71

[Third Party Advisory, VDB Entry] http://www.osvdb.org/23021

[Exploit, Vendor Advisory] http://www.hamid.ir/security/farsinews2-5.txt

[Third Party Advisory, VDB Entry] http://www.osvdb.org/23022

[Patch, Vendor Advisory] http://secunia.com/advisories/18768

Scores

EPSS 0.0978

EPSS Percentile 93.0%

Details

Status published

Products (3)

farsinews/farsinews 2.1

farsinews/farsinews 2.1_beta2

farsinews/farsinews 2.5

Published Feb 13, 2006

Tracked Since Feb 18, 2026