| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in PHP up to 4.69. It has been classified as critical. This impacts an unknown function of the file tests/tmssql.php. Performing a manipulation results in Remote Code Execution. This vulnerability is reported as CVE-2006-0147. The attack is possible to be carried out remotely. Moreover, an exploit is present. Upgrading the affected component is recommended.
Details
A vulnerability was found in PHP up to 4.69 (Programming Language Software). It has been classified as critical. This affects an unknown code block of the file tests/tmssql.php. The manipulation with an unknown input leads to a remote code execution vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.
The bug was discovered 12/30/2005. The weakness was disclosed 01/09/2006 by Andreas Sandblad (Website). The advisory is shared at gentoo.org. This vulnerability is uniquely identified as CVE-2006-0147. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known.
After even before and not, there has been an exploit disclosed. The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 10 days. During that time the estimated underground price was around $5k-$25k. By approaching the search of inurl:tests/tmssql.php it is possible to find vulnerable targets with Google Hacking. The vulnerability scanner Nessus provides a plugin with the ID 20384 (ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CGI abuses.
Upgrading to version 4.70 eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (24052), Exploit-DB (1663), Tenable (20384), OSVDB (22291†) and Secunia (SA17418†). The entries VDB-28256, VDB-29645, VDB-29644 and VDB-29643 are pretty similar. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Name
Version
- 4.0
- 4.1
- 4.2
- 4.3
- 4.4
- 4.5
- 4.6
- 4.7
- 4.8
- 4.9
- 4.10
- 4.11
- 4.12
- 4.13
- 4.14
- 4.15
- 4.16
- 4.17
- 4.18
- 4.19
- 4.20
- 4.21
- 4.22
- 4.23
- 4.24
- 4.25
- 4.26
- 4.27
- 4.28
- 4.29
- 4.30
- 4.31
- 4.32
- 4.33
- 4.34
- 4.35
- 4.36
- 4.37
- 4.38
- 4.39
- 4.40
- 4.41
- 4.42
- 4.43
- 4.44
- 4.45
- 4.46
- 4.47
- 4.48
- 4.49
- 4.50
- 4.51
- 4.52
- 4.53
- 4.54
- 4.55
- 4.56
- 4.57
- 4.58
- 4.59
- 4.60
- 4.61
- 4.62
- 4.63
- 4.64
- 4.65
- 4.66
- 4.67
- 4.68
- 4.69
License
Website
- Product: https://www.php.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Remote Code ExecutionCWE: Unknown
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 20384
Nessus Name: ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 56535
OpenVAS Name: Debian Security Advisory DSA 1029-1 (libphp-adodb)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: PHP 4.70
Timeline
12/30/2005 🔍01/09/2006 🔍
01/09/2006 🔍
01/09/2006 🔍
01/09/2006 🔍
01/09/2006 🔍
01/09/2006 🔍
01/10/2006 🔍
04/23/2006 🔍
03/12/2015 🔍
06/22/2024 🔍
Sources
Product: php.orgAdvisory: gentoo.org
Researcher: Andreas Sandblad
Status: Not defined
CVE: CVE-2006-0147 (🔍)
GCVE (CVE): GCVE-0-2006-0147
GCVE (VulDB): GCVE-100-28257
X-Force: 24052
Secunia: 17418
OSVDB: 22291 - ADOdb tmssql.php do Variable Arbitrary PHP Function Execution
Vulnerability Center: 11179 - ADOdb for PHP before 4.70 Remote PHP Code Execution via the do Parameter, High
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 03/12/2015 11:11Updated: 06/22/2024 15:52
Changes: 03/12/2015 11:11 (64), 01/11/2019 12:17 (10), 07/07/2021 13:33 (2), 07/07/2021 13:38 (1), 06/22/2024 15:52 (16)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.