Description
Multiple PHP remote file inclusion vulnerabilities in phpWebSite 0.10.2 allow remote attackers to execute arbitrary PHP code via a URL in the PHPWS_SOURCE_DIR parameter in (1) init.php, (2) users.php, (3) Cookie.php, (4) forms.php, (5) Groups.php, (6) ModSetting.php, (7) Calendar.php, (8) DateTime.php, (9) core.php, (10) ImgLibrary.php, (11) Manager.php, and (12) Template.php, and (13) EZform.php. NOTE: CVE disputes this report, since "PHPWS_SOURCE_DIR" is defined as a constant, not accessed as a variable
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Crackers_Child · textwebappsphp
https://www.exploit-db.com/exploits/28774
References (5)
Core 5
Core References
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/1716
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/448098/100/0/threaded
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/20412
Exploit mailing-list
x_refsource_vim
http://www.attrition.org/pipermail/vim/2006-October/001079.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/448307/100/100/threaded
Scores
EPSS
0.0631
EPSS Percentile
91.0%
Details
Status
published
Products (1)
phpwebsite/phpwebsite
0.10.2
Published
Oct 11, 2006
Tracked Since
Feb 18, 2026