Vulnerability Details CVE-2006-6112
LifeType 1.0.x and 1.1.x have insufficient access control for all of the PHP scripts under (1) class/ and (2) plugins/, which allows remote attackers to obtain the installation path via a direct request to any of the scripts, as demonstrated by (a) bayesianfilter.class.php and (b) bootstrap.php, which leaks the path in an error message.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.4%
CVSS Severity
CVSS v2 Score 5.0
References
- http://securityreason.com/securityalert/1980
- http://www.lifetype.net/blog.php/lifetype-development-journal/2006/11/30/full_path_disclosure_vulnerability_in_lifetype_1.0.x_and_1.1.x
- http://www.netvigilance.com/advisory0008
- http://www.osvdb.org/30685
- http://www.securityfocus.com/archive/1/453135/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30635
- http://securityreason.com/securityalert/1980
- http://www.lifetype.net/blog.php/lifetype-development-journal/2006/11/30/full_path_disclosure_vulnerability_in_lifetype_1.0.x_and_1.1.x
- http://www.netvigilance.com/advisory0008
- http://www.osvdb.org/30685
- http://www.securityfocus.com/archive/1/453135/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30635
Products affected by CVE-2006-6112
-
cpe:2.3:a:lifetype:lifetype:1.0.2
-
cpe:2.3:a:lifetype:lifetype:1.0.3
-
cpe:2.3:a:lifetype:lifetype:1.0.4
-
cpe:2.3:a:lifetype:lifetype:1.0.5
-
cpe:2.3:a:lifetype:lifetype:1.1.0
-
cpe:2.3:a:lifetype:lifetype:1.1.1
-
cpe:2.3:a:lifetype:lifetype:1.1.2