Vulnerability Name:

CVE-2006-0147 (CCN-24052)

Assigned:2006-01-09
Published:2006-01-09
Updated:2018-10-19
Summary:Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.6 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: AgillBill Web site
Agileco.com

Source: MITRE
Type: CNA
CVE-2006-0147

Source: CCN
Type: Moodle Web site
Moodle: Download

Source: CCN
Type: PostNuke Web site
Downloads

Source: MISC
Type: Exploit
http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html

Source: MISC
Type: Exploit
http://retrogod.altervista.org/simplog_092_incl_xpl.html

Source: CCN
Type: SA17418
ADOdb Insecure Test Scripts Security Issues

Source: SECUNIA
Type: Exploit, Patch, Vendor Advisory
17418

Source: CCN
Type: SA18233
Xaraya ADOdb Insecure Test Scripts Security Issues

Source: SECUNIA
Type: Patch, Vendor Advisory
18233

Source: CCN
Type: SA18254
Mantis ADOdb Insecure Test Scripts Security Issues

Source: SECUNIA
Type: Patch, Vendor Advisory
18254

Source: CCN
Type: SA18260
PostNuke ADOdb "server.php" Insecure Test Script Security Issue

Source: SECUNIA
Type: Patch, Vendor Advisory
18260

Source: CCN
Type: SA18267
Moodle ADOdb Insecure Test Scripts Security Issues

Source: SECUNIA
Type: Vendor Advisory
18267

Source: CCN
Type: SA18276
Cacti ADOdb "server.php" Insecure Test Script Security Issue

Source: SECUNIA
Type: Patch, Vendor Advisory
18276

Source: SECUNIA
Type: Patch, Vendor Advisory
19555

Source: SECUNIA
Type: Patch, Vendor Advisory
19590

Source: SECUNIA
Type: Patch, Vendor Advisory
19591

Source: CCN
Type: SA19600
PHPOpenChat ADOdb Insecure Test Scripts Security Issues

Source: SECUNIA
Type: Vendor Advisory
19600

Source: CCN
Type: SA19628
Simplog Multiple Vulnerabilities and Security Issues

Source: SECUNIA
Type: Patch, Vendor Advisory
19628

Source: SECUNIA
Type: UNKNOWN
19691

Source: MISC
Type: Exploit, Patch, Vendor Advisory
http://secunia.com/secunia_research/2005-64/advisory/

Source: CCN
Type: SourceForge.net: ADOdb
Latest File Releases

Source: CCN
Type: Cacti Web site
Download Cacti

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-1029

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-1030

Source: DEBIAN
Type: UNKNOWN
DSA-1031

Source: DEBIAN
Type: DSA-1029
libphp-adodb -- several vulnerabilities

Source: DEBIAN
Type: DSA-1030
moodle -- several vulnerabilities

Source: DEBIAN
Type: DSA-1031
cacti -- several vulnerabilities

Source: CCN
Type: GLSA-200604-07
Cacti: Multiple vulnerabilities in included ADOdb

Source: GENTOO
Type: Patch, Vendor Advisory
GLSA-200604-07

Source: OSVDB
Type: UNKNOWN
22291

Source: CCN
Type: OSVDB ID: 22291
ADOdb tmssql.php do Variable Arbitrary PHP Function Execution

Source: CCN
Type: OSVDB ID: 27620
ADOdb tmssql.php do Parameter XSS

Source: CCN
Type: PHP Link Directory Web site
PHP Link Directory

Source: BUGTRAQ
Type: UNKNOWN
20060409 PhpOpenChat 3.0.x ADODB Server.php "sql" SQL injection

Source: BUGTRAQ
Type: UNKNOWN
20060412 Simplog <=0.9.2 multiple vulnerabilities

Source: CCN
Type: BID-18638
ADOdb Tmssql.PHP Cross-Site Scripting Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2006-0101

Source: VUPEN
Type: UNKNOWN
ADV-2006-0102

Source: VUPEN
Type: UNKNOWN
ADV-2006-0103

Source: VUPEN
Type: UNKNOWN
ADV-2006-0104

Source: VUPEN
Type: UNKNOWN
ADV-2006-1305

Source: VUPEN
Type: UNKNOWN
ADV-2006-1332

Source: XF
Type: UNKNOWN
adodb-tmssql-command-execution(24052)

Source: XF
Type: UNKNOWN
adodb-tmssql-command-execution(24052)

Source: EXPLOIT-DB
Type: UNKNOWN
1663

Vulnerable Configuration:Configuration 1:
  • cpe:/a:john_lim:adodb:4.66:*:*:*:*:*:*:*
  • OR cpe:/a:john_lim:adodb:4.68:*:*:*:*:*:*:*
  • OR cpe:/a:mantis:mantis:0.19.4:*:*:*:*:*:*:*
  • OR cpe:/a:mantis:mantis:1.0.0_rc4:*:*:*:*:*:*:*
  • OR cpe:/a:moodle:moodle:1.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:postnuke_software_foundation:postnuke:0.761:*:*:*:*:*:*:*
  • OR cpe:/a:the_cacti_group:cacti:0.8.6g:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.debian:def:1029
    V
    		several vulnerabilities
    2006-04-08
    oval:org.debian:def:1030
    V
    		several vulnerabilities
    2006-04-08
    oval:org.debian:def:1031
    V
    		several vulnerabilities
    2006-04-08
    BACK
    john_lim adodb 4.66
    john_lim adodb 4.68
    mantis mantis 0.19.4
    mantis mantis 1.0.0_rc4
    moodle moodle 1.5.3
    postnuke_software_foundation postnuke 0.761
    the_cacti_group cacti 0.8.6g