CVE-2006-5832 in AIOCP
Summary
by MITRE
All In One Control Panel (AIOCP) 1.3.007 and earlier allows remote attackers to obtain the full path of the web server via certain requests to (1) public/code/cp_dpage.php, possibly involving the aiocp_dp[] parameter, (2) public/code/cp_show_ec_products.php, possibly involving the order_field[] parameter, and (3) public/code/cp_show_page_help.php, possibly involving the hp[] parameter, which reveal the path in various error messages.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/27/2026
This vulnerability in All In One Control Panel version 1.3.007 and earlier represents a classic path disclosure flaw that exposes sensitive server information to remote attackers. The vulnerability manifests through three specific file endpoints that fail to properly validate or sanitize user input parameters, leading to the revelation of absolute file paths in error messages. The affected parameters aiocp_dp[], order_field[], and hp[] are processed without adequate input validation, allowing malicious actors to craft requests that trigger error conditions containing the full server path. This type of information disclosure vulnerability falls under CWE-209, which specifically addresses error messages containing sensitive information, and represents a fundamental weakness in the application's error handling mechanisms.
The operational impact of this vulnerability extends beyond simple information gathering, as the disclosed paths provide attackers with critical reconnaissance data for subsequent exploitation attempts. When attackers can obtain the full server path, they gain insight into the application's directory structure, which can be leveraged to identify potential attack vectors, understand file permissions, and plan more sophisticated attacks. The vulnerability affects multiple endpoints within the control panel, indicating a systemic issue with input parameter handling rather than isolated code flaws. This widespread nature suggests that the application's development practices lack consistent security controls for parameter validation and error message generation, which aligns with ATT&CK technique T1083 for discovery of system information and T1068 for exploit development.
The technical implementation of this vulnerability demonstrates poor input sanitization practices where user-supplied parameters are directly passed to internal functions without proper validation or encoding. When these parameters contain unexpected values or malformed input, the application's error handling mechanisms trigger, inadvertently exposing the server's absolute path to any user who can access the affected endpoints. This flaw particularly affects web applications that rely on dynamic parameter processing without adequate security controls, making it a common issue in legacy content management systems and control panels. The vulnerability is particularly dangerous because it requires no authentication or privileged access, making it easily exploitable by any remote attacker who can reach the targeted web server. Organizations should immediately implement input validation controls, sanitize all user parameters, and ensure that error messages do not contain sensitive system information to prevent exploitation of this type of path disclosure vulnerability.