CVE-2006-6661

Variable overwrite vulnerability in blog.php in PHP-Update 2.7 and earlier allows remote attackers to overwrite arbitrary program variables and execute arbitrary PHP code via multiple vectors that use the extract function, as demonstrated by the (1) f, (2) newmessage, (3) newusername, (4) adminuser, and (5) permission parameters.

Published: Dec 21, 2006
Updated: Apr 13, 2023
CVE: CVE-2006-6661
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
php-update / php-update	-	2.7.x

http://secunia.com/advisories/23407
http://www.vupen.com/english/advisories/2006/5088
https://www.exploit-db.com/exploits/2953

Vulnerability Database

290,273

CVE-2006-6661