[CLOSE] OSVDB ID : 35356 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Robert Ladstaetter ActionPoll 1.1.0, and possibly 1.1.1, allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG_POLLDB parameter to actionpoll.php or (2) the CONFIG_DB parameter to db/DataReaderWriter.php, different vectors than CVE-2001-1297.

[CLOSE] OSVDB ID : 35357 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Robert Ladstaetter ActionPoll 1.1.0, and possibly 1.1.1, allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG_POLLDB parameter to actionpoll.php or (2) the CONFIG_DB parameter to db/DataReaderWriter.php, different vectors than CVE-2001-1297.

[CLOSE] OSVDB ID : 34151 - Disclosed: 2007-04-15

Description:

Jambook for Joomla/Mambo has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue was supposedly due to jambook.php not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. However, third party research indicates that file inclusions are not possible because jambook.php is restricted from being called directly.

[CLOSE] OSVDB ID : 35239 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : vsdatant.sys in Check Point Zone Labs ZoneAlarm Pro before 7.0.302.000 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (system crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateKey and (2) NtDeleteFile functions.

[CLOSE] OSVDB ID : 35392 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers.

[CLOSE] OSVDB ID : 35388 - Disclosed: 2007-04-15

Description:

Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'errors/needinit.php' script not properly sanitizing user input supplied to the 'GALLERY_BASEDIR' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 35389 - Disclosed: 2007-04-15

Description:

Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'errors/reconfigure.php' script not properly sanitizing user input supplied to the 'GALLERY_BASEDIR' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 35390 - Disclosed: 2007-04-15

Description:

Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'errors/unconfigured.php' script not properly sanitizing user input supplied to the 'GALLERY_BASEDIR' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 35391 - Disclosed: 2007-04-15

Description:

Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'errors/configmode.php' script not properly sanitizing user input supplied to the 'GALLERY_BASEDIR' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 39293 - Disclosed: 2007-04-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 39292 - Disclosed: 2007-04-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 35477 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : SQL injection vulnerability in kontakt.php in Papoo 3.02 and earlier allows remote attackers to execute arbitrary SQL commands via the menuid parameter, a different vector than CVE-2005-4478.

[CLOSE] OSVDB ID : 34977 - Disclosed: 2007-04-15

Description:

Pixaria Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the psg.smarty.lib.php' script not properly sanitizing user input supplied to the 'cfg[sys][base_path]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 34978 - Disclosed: 2007-04-15

Description:

Pixaria Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to unspecified scripts in the 'library/include' directory not properly sanitizing user input supplied to unspecified parameter(s). This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 34979 - Disclosed: 2007-04-15

Description:

CNStats contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the who_r.php script not properly sanitizing user input supplied to the 'bj' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 34980 - Disclosed: 2007-04-15

Description:

CNStats contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'who_s.php' script not properly sanitizing user input supplied to the 'bj' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 34997 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Directory traversal vulnerability in includes/footer.php in News Manager Deluxe (NMDeluxe) 1.0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the template parameter.

[CLOSE] OSVDB ID : 34972 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in oe2edit.cgi in oe2edit CMS allows remote attackers to inject arbitrary web script or HTML via the q parameter.

[CLOSE] OSVDB ID : 35834 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : SQL injection vulnerability in kontakt.php in Papoo 3.02 and earlier allows remote attackers to execute arbitrary SQL commands via the menuid parameter, a different vector than CVE-2005-4478.

[CLOSE] OSVDB ID : 37436 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Marco Antonio Islas Cruz Web Slider (WebSlider) 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) index.php, (2) modules/pdf.php, (3) plugins/highlight.php, or (4) include/modules.php.

[CLOSE] OSVDB ID : 37437 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Marco Antonio Islas Cruz Web Slider (WebSlider) 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) index.php, (2) modules/pdf.php, (3) plugins/highlight.php, or (4) include/modules.php.

[CLOSE] OSVDB ID : 37438 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Marco Antonio Islas Cruz Web Slider (WebSlider) 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) index.php, (2) modules/pdf.php, (3) plugins/highlight.php, or (4) include/modules.php.

[CLOSE] OSVDB ID : 37439 - Disclosed: 2007-04-15

Description:

WebSlider contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'include/modules.php' script not properly sanitizing user input supplied to the 'path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 37440 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in XAMPP 1.6.0a for Windows allow remote attackers to execute arbitrary SQL commands via unspecified vectors in certain test scripts.

[CLOSE] OSVDB ID : 37565 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.

[CLOSE] OSVDB ID : 37566 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.

[CLOSE] OSVDB ID : 37567 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.

[CLOSE] OSVDB ID : 37568 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.

[CLOSE] OSVDB ID : 37569 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.

[CLOSE] OSVDB ID : 37570 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.

[CLOSE] OSVDB ID : 37571 - Disclosed: 2007-04-15

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.

[CLOSE] OSVDB ID : 35393 - Disclosed: 2007-04-14

Description:

Sitebar contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input supplied to the 'writerFile' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 35394 - Disclosed: 2007-04-14

Description:

Sitebar contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'Integrator.php' script not properly sanitizing user input supplied to the 'file' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 35359 - Disclosed: 2007-04-14

Description:

(Description Provided by CVE) : ** DISPUTED ** PHP remote file inclusion vulnerability in phpMyChat.php3 in phpMyChat 0.14.5 allows remote attackers to execute arbitrary PHP code via a URL in the {ChatPath} parameter. NOTE: this has been disputed by multiple third parties and CVE because $ChatPath is set to a constant value.

[CLOSE] OSVDB ID : 35360 - Disclosed: 2007-04-14

Description:

(Description Provided by CVE) : ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Maian Weblog 3.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, since the path_to_folder variable is initialized before use.

[CLOSE] OSVDB ID : 34147 - Disclosed: 2007-04-14

Description:

Flip-search-add-on contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to everything.php not properly sanitizing user input supplied to the 'incpath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 34148 - Disclosed: 2007-04-14

Description:

OpenConcept Back-End CMS has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the 'cilck.php', 'pollcollector.php', 'site-admin/index.php', 'site-admin/articlepages.php', 'site-admin/articles.php', 'site-admin/articleform.php', 'site-admin/articlesections.php', 'site-admin/createArticlesPage.php', 'site-admin/guestbook.php', 'site-admin/helpguide.php', 'site-admin/helpguideeditor.php', 'site-admin/links.php', 'site-admin/upload.php', 'site-admin/sitestatistics.php', 'site-admin/nav.php', 'site-admin/tpl_upload.php', 'site-admin/linksections', and 'site-admin/pophelp.php' scripts not properly sanitizing user input supplied to the 'includes_path' variable. Additional third-party examination indicates this is not an issue, because the variable is always overridden by an internally configured value.

[CLOSE] OSVDB ID : 35358 - Disclosed: 2007-04-14

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9 allows remote attackers to execute arbitrary PHP code via a URL in the my[root] parameter, a different vector than CVE-2007-0498.

[CLOSE] OSVDB ID : 34152 - Disclosed: 2007-04-14

Description:

b2evolution has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue was supposedly due to 'blogs/index.php' not properly sanitizing user input supplied to the 'core_subdir' variable. However, third-party research indicates that file inclusions are not possible because the software uses a hard-coded value from a configuration script for this variable, which is therefore restricted from being called directly.

[CLOSE] OSVDB ID : 34149 - Disclosed: 2007-04-14

Description:

Maian Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php not properly sanitizing user input supplied to the 'path_to_folder' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.