[CLOSE] OSVDB ID : 55200 - Disclosed: 2009-06-15

Description:

TorrentTrader contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered by unrestricted access to backup-database.php, which will create a full database backup in an easily-guessed and accessible location which will disclose database contents resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 55202 - Disclosed: 2009-06-15

Description:

TorrentTrader contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered by unrestricted access to check.php, which will disclose local installation information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 55203 - Disclosed: 2009-06-15

Description:

TorrentTrader contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered by unrestricted access to the phpinfo.php script, which will disclose local installation information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 55207 - Disclosed: 2009-06-15

Description:

TorrentTrader contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the report.php script not properly sanitizing user-supplied input to the 'user,' 'torrent,' 'forumid' and 'forumpost' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 55214 - Disclosed: 2009-06-15

Description:

TorrentTrader contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Title' field upon submission to the requests.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 55215 - Disclosed: 2009-06-15

Description:

TorrentTrader contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Torrent Name' field upon submission to the torrents-upload.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 55218 - Disclosed: 2009-06-15

Description:

TorrentTrader contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'CURUSER' and 'SITENAME' variables upon submission to the themes/default/header.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 53499 - Disclosed: 2009-01-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 20524 - Disclosed: 2005-11-04

Description:

Phorum contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'search.php' script not properly sanitizing user-supplied input to the 'forum_ids' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 11879 - Disclosed: 2004-11-16

Description:

PHPNuke Event Calendar contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker directly accesses "config.php" and receives error messages, which will disclose server path information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 11880 - Disclosed: 2004-11-16

Description:

PHPNuke Event Calendar contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker directly accesses "index.php" and receives error messages, which will disclose server path information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 11881 - Disclosed: 2004-11-16

Description:

PHPNuke Event Calendar contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker directly accesses "submit.php" and receives error messages, which will disclose server path information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 11882 - Disclosed: 2004-11-16

Description:

PHPNuke Event Calendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "type", "day", "month" and "year" variables upon submission to the "modules.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 11883 - Disclosed: 2004-11-16

Description:

PHP-Nuke Event Calendar contains a flaw that will allow an attacker to inject arbitrary script. The problem is that the field "event comment" does not suffiiciently sanitize variable, which will allow an attacker to inject arbitrary javascript code.

[CLOSE] OSVDB ID : 11884 - Disclosed: 2004-11-16

Description:

PHP-Nuke Event Calendar contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "$eid" and "$cid" variables in the "modules.php" module are not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 11676 - Disclosed: 2004-11-11

Description:

Phorum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the thread variable in the follow.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 8506 - Disclosed: 2004-08-11

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Web_Links, Journal, Stories Archive or Topic Archive variables upon submission to the search script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7949 - Disclosed: 2004-07-16

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input variables upon submission to the Search module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7950 - Disclosed: 2004-07-16

Description:

PHP-Nuke contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the instory variable in the Search module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 7808 - Disclosed: 2004-07-13

Description:

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides an invalid argument to the category_rows variable in the index.php script occurs, which will disclose the physical path of the installation resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7810 - Disclosed: 2004-07-13

Description:

phpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the category_rows variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7944 - Disclosed: 2004-07-13

Description:

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides an invalid argument to the faq variable in the language\lang_english\lang_faq.php script occurs, which will disclose the physical path of the installation resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7945 - Disclosed: 2004-07-13

Description:

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides an invalid argument to the faq variable in the language\lang_english\lang_bbcode.php script occurs, which will disclose the physical path of the installation resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7946 - Disclosed: 2004-07-13

Description:

phpBB contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides an invalid argument to the ranksrow variable in the includes\usercp_viewprofile.php script occurs, which will disclose the physical path of the installation resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7947 - Disclosed: 2004-07-13

Description:

phpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "faq" variable upon submission to the lang_faq.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7948 - Disclosed: 2004-07-13

Description:

phpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "faq" variable upon submission to the lang_bbcode.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7223 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests an invalid parameter of the voteinclude.php file in the Web Links module, which will disclose the physical path of the web server resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7224 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "jid" variable upon submission to the "delete.php" script in the Journal module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7225 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "onwhat" variable upon submission to the "comment.php" script in the Journal module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7226 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests an invalid parameter of the convert_month() function of the Statistics module, which will disclose the physical path of the web server resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7227 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests an invalid parameter of the add.php file in the Journal module, which will disclose the physical path of the web server resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7228 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests an invalid parameter of the modify.php file in the Journal module, which will disclose the physical path of the web server resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 7229 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "yun" or "ye" variables upon submission to the "friend.php" script in the Journal module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7230 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "filelist" variable upon submission to the "add.php" script in the Journal module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7231 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "filelist" variable upon submission to the "modify.php" script in the Journal module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7232 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "rid" variable upon submission to the "commentsave.php" script in the Journal module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 7233 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "forwhat" variable in the Journal module search.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 7234 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that may allow a remote attacker to inject arbitrary javascript in a journal entry. The flaw is due to the Journal module not properly sanitize journal entry input. By creating a new journal entry with malicious java script, an attacker can have it executed under arbitrary privileges when another user attempts to list or read the journal entry.

[CLOSE] OSVDB ID : 7235 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that may allow a remote attacker to delete arbitrary journal entries. The flaw is due to the Journal module not properly checking for authentication credentials during a request to the commentkill.php script. If an attacker directly requests the script via a GET request, he can delete any journal entry.

[CLOSE] OSVDB ID : 7236 - Disclosed: 2004-06-23

Description:

PHP-Nuke contains a flaw that may allow a remote attacker to insert arbitrary journal entries. The flaw is due to the Journal module not properly checking for authentication credentials during a request to the savenew.php script. If an attacker directly requests the script via a GET request, he can insert a new journal entry without authenticating.