A vulnerability classified as problematic has been found in Alexphpteam Alex Guestbook 4.0.1. This affects an unknown functionality of the file index.php of the component Error Message Handler. The manipulation of the argument skin with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

index.php in @lex Guestbook 4.0.1 allows remote attackers to obtain sensitive information via a skin parameter referencing a nonexistent skin, which reveals the installation path in an error message.

The weakness was published 12/04/2006 (Website). It is possible to read the advisory at vupen.com. This vulnerability is uniquely identified as CVE-2006-6279 since 12/03/2006. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

It is declared as highly functional. By approaching the search of inurl:index.php it is possible to find vulnerable targets with Google Hacking.

The vulnerability is also documented in the vulnerability database at X-Force (30638). Similar entry is available at 33614.

Productinfo

Vendor

• Alexphpteam

Name

• Alex Guestbook

Version

• 4.0.1

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion