CVE-2006-5291

PHP remote file inclusion vulnerability in admin/includes/spaw/spaw_control.class.php in Download-Engine 1.4.2 allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: CVE analysis suggests that this issue is actually in a third party product, SPAW Editor PHP Edition, so this issue is probably a duplicate of CVE-2006-4656.

Referenced by CVEs: CVE-2006-5459, CVE-2007-2255
Score7.5
Access VectorNETWORK
Access ComplexityLOW
AuthenticationNONE
Confidentiality ImpactPARTIAL
Integrity ImpactPARTIAL
Availability ImpactPARTIAL
Published2006-10-16 02:07:00.000-04
Last Modified2018-10-17 05:42:01.000-04

Vulnerable Software List

VendorProductVersions
Alex Downloadengine 1.4.2

References

SourceLink
SREASON1723
CONFIRMhttp://spaw.cvs.sourceforge.net/spaw/spaw/docs/ChangeLog.txt?view=markup
MISChttp://spaw.cvs.sourceforge.net/spaw/spaw/spaw_control.class.php?r1=1.19&r2=1.20
MISChttp://spaw.cvs.sourceforge.net/spaw/spaw/spaw_control.class.php?r1=1.25&r2=1.26
BUGTRAQ20061012 Download-Engine Remote File Include
BID20500
VUPENADV-2006-4025
XFdownloadengine-spaw-file-include(29493)
EXPLOIT-DB2521