CVE-2006-3360

NameCVE-2006-3360
DescriptionDirectory traversal vulnerability in index.php in phpSysInfo 2.5.1 allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) sequence and a trailing null (%00) byte in the lng parameter, which will display a different error message if the file exists.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpsysinfo (PTS)jessie3.0.17-1vulnerable
sid3.2.5-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
egroupwaresource(unstable)(unfixed)unimportant
phpgroupwaresource(unstable)(unfixed)unimportant
phpsysinfosource(unstable)(unfixed)unimportant

Notes

Only the existence of files inside the WWW root is leaked. If this is
a threat to your setup you most probably shouldn't install a script which
exposes all your system data, either.

Search for package or bug name: Reporting problems