PHP Advanced Transfer Manager <= 1.30 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 3234


The remote host is vulnerable to multiple attack vectors.


The version of PHP Advanced Transfer Manager on the remote host suffers from multiple information disclosure and cross-site scripting flaws. For example, by calling the text or HTML viewer directly, an unauthenticated attacker can view arbitrary files, possibly even from remote hosts, provided PHP's 'register_globals' setting is enabled. As another example, an attacker can issue a request for '/PATH/users/username' and retrieve sensitive user credentials. In addition, selected PHP settings on the remote host can be disclosed by accessing the 'test.php' script directly.


Disable PHP's 'register_globals' setting and remove the 'test.php' script.

See Also

Plugin Details

Severity: High

ID: 3234

File Name: 3234.prm

Family: CGI

Published: 2005/09/20

Modified: 2016/01/21

Dependencies: 1442

Nessus ID: 19768

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND


Base Score: 7.3

Temporal Score: 7.1


Temporal Vector: CVSS3#E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:bugada_andrea:php_advanced_transfer_manager

Reference Information

BID: 14883, 15237, 15074, 14887