Unrated severityNVD Advisory· Published Nov 30, 2005· Updated Apr 16, 2026

CVE-2005-3929

Description

Directory traversal vulnerability in the create function in xarMLSXML2PHPBackend.php in Xaraya 1.0 allows remote attackers to create directories and overwrite arbitrary files via ".." sequences in the module parameter to index.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in Xaraya 1.0 allows remote attackers to create directories and overwrite files via '..' sequences in the module parameter.

Vulnerability

A directory traversal vulnerability exists in the create function of xarMLSXML2PHPBackend.php in Xaraya version 1.0. The flaw allows remote attackers to traverse directories by injecting .. sequences into the module parameter passed to index.php. No authentication is required to reach the vulnerable code path.

Exploitation

An attacker can send a crafted HTTP request to index.php with a module parameter containing ../ sequences. The vulnerable function does not sanitize the input, enabling the attacker to specify arbitrary file paths. The attack requires no special privileges or user interaction; only network access to the Xaraya instance is needed.

Impact

Successful exploitation allows the attacker to create directories and overwrite arbitrary files on the server. This can lead to arbitrary code execution if the attacker overwrites executable files (e.g., PHP scripts) or configuration files, potentially compromising the entire application and underlying system.

Mitigation

As of the publication date (2005-11-30), no patch or fixed version was available in the provided references [1]. Users should monitor the Xaraya project for updates or apply input validation to the module parameter as a temporary workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

About Secunia Research | Flexera

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Xaraya/Xaraya4 versions
cpe:2.3:a:xaraya:xaraya:1.0_rc1:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:xaraya:xaraya:1.0_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:xaraya:xaraya:1.0_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:xaraya:xaraya:1.0_rc3:*:*:*:*:*:*:*
- cpe:2.3:a:xaraya:xaraya:1.0_rc4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

rgod.altervista.org/xaraya1DOS.hmtlnvdExploitVendor Advisory
www.securityfocus.com/bid/15623nvdExploit
secunia.com/advisories/17788nvd
securityreason.com/securityalert/217nvd
www.securityfocus.com/archive/1/418087/100/0/threadednvd
www.securityfocus.com/archive/1/418191/100/0/threadednvd
www.securityfocus.com/archive/1/418209/100/0/threadednvd
www.vupen.com/english/advisories/2005/2665nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.007
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000