[CLOSE] OSVDB ID : 64735 - Disclosed: 2010-04-13

Description:

60cycleCMS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'submitComment.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'DOCUMENT_ROOT' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 45247 - Disclosed: 2008-05-15

Description:

68 Classifieds contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'category.php' script not properly sanitizing user-supplied input to the 'cat' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 56564 - Disclosed: 2009-07-27

Description:

68 Classifieds contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'cat' parameters upon submission to the 'category.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 56565 - Disclosed: 2009-07-27

Description:

68 Classifieds contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'goto' parameters upon submission to the 'login.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 56566 - Disclosed: 2009-07-27

Description:

68 Classifieds contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'page' parameters upon submission to the 'searchresults.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 56567 - Disclosed: 2009-07-27

Description:

68 Classifieds contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'page' parameters upon submission to the 'toplistings.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 56568 - Disclosed: 2009-07-27

Description:

68 Classifieds contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'view' parameters upon submission to the 'viewlisting.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 56569 - Disclosed: 2009-07-27

Description:

68 Classifieds contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'member' parameters upon submission to the 'viewmember.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 68668 - Disclosed: 2010-03-27

Description:

68KB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'modules/show.php' script not properly sanitizing user input supplied to the 'file' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 37013 - Disclosed: 2007-06-25

Description:

6ALBlog contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'admin/index.php' script not properly sanitizing user input supplied to the 'pg' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 37012 - Disclosed: 2007-06-25

Description:

(Description Provided by CVE) : SQL injection vulnerability in member.php in 6ALBlog allows remote attackers to execute arbitrary SQL commands via the newsid parameter.

[CLOSE] OSVDB ID : 83472 - Disclosed: 2011-10-10

Description:

6kbbs contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the /admin/portalchannel_ajax.php script does not require multiple steps or explicit confirmation for sensitive transactions the writing of files to certain directories. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a separate CSRF attack or possibly other means, and executed in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 83471 - Disclosed: 2011-10-10

Description:

6kbbs contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the /admin/user_ajax.php script does not require multiple steps or explicit confirmation for sensitive transactions the writing of files to certain user reachable directories. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating files that may then be called via a direct request and executed in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 69361 - Disclosed: 2010-11-11

Description:

6kbbs contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ajaxadmin.php script not properly sanitizing user-supplied input to the 'tids[]' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 69362 - Disclosed: 2010-11-11

Description:

6kbbs contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ajaxmember.php script not properly sanitizing user-supplied input to the 'msgids[]' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 69360 - Disclosed: 2010-11-11

Description:

6kbbs contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'user[msn]', 'user[email]', and 'user[phone]' and 'tids[]' parameters upon submission to the ajaxmember.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 83474 - Disclosed: 2011-10-10

Description:

6kbbs contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a direct request to the /admin/portalcollect.php script, or calls certain files by passing input via the 'f' parameter to the /getfiles.php script, which will disclose certain unspecified information to a remote attacker.

[CLOSE] OSVDB ID : 83473 - Disclosed: 2011-10-10

Description:

6kbbs contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the index.php, online.php, forum.php, login.php, and credits.php scripts. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 48673 - Disclosed: 2008-09-22

Description:

6rbScript contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'cat.php' script not properly sanitizing user-supplied input to the 'CatID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 48508 - Disclosed: 2008-09-21

Description:

(Description Provided by CVE) : Directory traversal vulnerability in section.php in 6rbScript 3.3, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the name parameter.

[CLOSE] OSVDB ID : 48509 - Disclosed: 2008-09-21

Description:

6rbScript contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'section.php' script not properly sanitizing user-supplied input to the 'singerid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 1977 - Disclosed: 2001-10-23

Description:

6Tunnnel contains a flaw that may allow a remote denial of service. The issue is triggered when repeatedly connecting and disconnecting from the to the server occurs, and will result in loss of availability for the service.