CVE-2006-6112

LifeType 1.0.x and 1.1.x have insufficient access control for all of the PHP scripts under (1) class/ and (2) plugins/, which allows remote attackers to obtain the installation path via a direct request to any of the scripts, as demonstrated by (a) bayesianfilter.class.php and (b) bootstrap.php, which leaks the path in an error message.

Published: Dec 6, 2006
Updated: Apr 13, 2023
CVE: CVE-2006-6112
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
lifetype / lifetype	1.0.5	1.0.5.x
lifetype / lifetype	1.1.0	1.1.0.x
lifetype / lifetype	1.1.1	1.1.1.x
lifetype / lifetype	1.0.3	1.0.3.x
lifetype / lifetype	1.0.2	1.0.2.x
lifetype / lifetype	1.0.4	1.0.4.x
lifetype / lifetype	1.1.2	1.1.2.x

http://securityreason.com/securityalert/1980
http://www.lifetype.net/blog.php/lifetype-development-journal/2006/11/30/full_path_disclosure_vulnerability_in_lifetype_1.0.x_and_1.1.x
http://www.netvigilance.com/advisory0008
http://www.osvdb.org/30685
http://www.securityfocus.com/archive/1/453135/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/30635

Vulnerability Database

CVE-2006-6112