CVE-2005-3738

critical

Description

globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and conduct various attacks, as demonstrated using the mosConfig_absolute_path parameter to content.html.php for remote PHP file inclusion.

References

http://www.vupen.com/english/advisories/2005/2473

http://www.securityfocus.com/bid/15461

http://www.securityfocus.com/archive/1/427196/100/0/threaded

http://www.securityfocus.com/archive/1/426942/100/0/threaded

http://securitytracker.com/id?1015258

http://secunia.com/advisories/17622

http://forum.mamboserver.com/showthread.php?t=66154

Details

Source: Mitre, NVD

Published: 2005-11-22

Updated: 2018-10-19

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical