CVE-2006-0315 Information

Description

index.php in EZDatabase before 2.1.2 does not properly cleanse the p parameter before constructing and including a .php filename which allows remote attackers to conduct directory traversal attacks and produces resultant cross-site scripting (XSS) and path disclosure.

Reference

http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0515.html http://secunia.com/advisories/18043 http://www.osvdb.org/22684 http://www.securityfocus.com/archive/1/422071/100/0/threaded http://www.securityfocus.com/bid/16257 http://zur.homelinux.com/Advisories/ezdatabase_dir_trans.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/24134 https://exchange.xforce.ibmcloud.com/vulnerabilities/24135