CVE-2006-0787 Information

Description

wimpy_trackplays.php in Plaino Wimpy MP3 Player possibly 5.2 and earlier allows remote attackers to insert arbitrary strings into trackme.txt via the (1) trackFile (2) trackArtist and (3) trackTitle parameters which can result in providing false information about songs occupying excessive disk space with very long parameter values and storing executable code that might be invoked through a different vulnerability. NOTE: since this issue as described by the original researcher is entirely dependent on the presence of another vulnerability it could be argued that Wimpy cannot be responsible for how its data file is processed by applications outside of its control. Since this issue might only be useful as a facilitator manipulation in another vulnerability perhaps it should not be included in CVE.

Reference

http://secunia.com/advisories/18900 http://www.securityfocus.com/bid/16696 http://www.xorcrew.net/xpa/XPA-WimpyMP3Player.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/24770