CVE-2006-3360 — phpSysInfo allows remote attackers to determine the existence of arbitrary files

Description

Directory traversal vulnerability in index.php in phpSysInfo 2.5.1 allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) sequence and a trailing null (%00) byte in the lng parameter, which will display a different error message if the file exists.

How to fix CVE-2006-3360

To remediate CVE-2006-3360, upgrade the affected package to a fixed version below.

Debian/phpsysinfo—upgrade to 3.2.5-3 or later
Packagist/phpsysinfo/phpsysinfo—upgrade to 3.2.5 or later

Is CVE-2006-3360 being exploited?

Moderate — EPSS is 7.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 3.2.5-3
from 0, < 3.2.5

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-3360
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2006-3360
PATCHgithub.com/phpsysinfo/phpsysinfo
WEBexchange.xforce.ibmcloud.com/vulnerabilities/27527