CVE-2006-4673

Global variable overwrite vulnerability in maincore.php in PHP-Fusion 6.01.4 and earlier uses the extract function on the superglobals, which allows remote attackers to conduct SQL injection attacks via the _SERVER[REMOTE_ADDR] parameter to news.php.

Published: Sep 11, 2006
Updated: Apr 13, 2023
CVE: CVE-2006-4673
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
php_fusion / php_fusion	6.0.105	6.0.105.x
php_fusion / php_fusion	6.0.303	6.0.303.x
php_fusion / php_fusion	6.0.106	6.0.106.x
php_fusion / php_fusion	6.0.204	6.0.204.x
php_fusion / php_fusion	6.0.110	6.0.110.x
php_fusion / php_fusion	6.0.109	6.0.109.x
php_fusion / php_fusion	6.0.307	6.0.307.x
php_fusion / php_fusion	6.0.304	6.0.304.x
php_fusion / php_fusion	-	6.01.4.x
php_fusion / php_fusion	6.0.107	6.0.107.x
php_fusion / php_fusion	6.0.206	6.0.206.x
php_fusion / php_fusion	6.0.306	6.0.306.x

http://marc.info/?l=bugtraq&m=115765187519458&w=2
http://retrogod.altervista.org/phpfusion_6-01-4_xpl.html
http://secunia.com/advisories/21830
http://www.php-fusion.co.uk/news.php?readmore=353
http://www.securityfocus.com/bid/19908
http://www.vupen.com/english/advisories/2006/3523
https://exchange.xforce.ibmcloud.com/vulnerabilities/28818

Vulnerability Database

289,697

CVE-2006-4673