[CLOSE] OSVDB ID : 32541 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in process.php in Vladimir Menshakov buratinable templator (aka bubla) 1.0.0rc2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) bu_dir or (2) bu_config[dir] parameter.

[CLOSE] OSVDB ID : 33330 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in DMXReady Secure Login Manager 1.0 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified parameters to (1) set_preferences.asp, (2) send_password_preferences.asp, and (3) SecureLoginManager/list.asp in the Local-Admin Panel.

[CLOSE] OSVDB ID : 33331 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in DMXReady Secure Login Manager 1.0 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified parameters to (1) set_preferences.asp, (2) send_password_preferences.asp, and (3) SecureLoginManager/list.asp in the Local-Admin Panel.

[CLOSE] OSVDB ID : 33332 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in DMXReady Secure Login Manager 1.0 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified parameters to (1) set_preferences.asp, (2) send_password_preferences.asp, and (3) SecureLoginManager/list.asp in the Local-Admin Panel.

[CLOSE] OSVDB ID : 33333 - Disclosed: 2006-12-27

Description:

Secure Login Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the set_preferences.asp script not properly sanitizing user-supplied input to an unknown variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 33334 - Disclosed: 2006-12-27

Description:

Secure Login Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the send_password_preferences.asp script not properly sanitizing user-supplied input to an unspecified variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 33335 - Disclosed: 2006-12-27

Description:

Secure Login Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the SecureLoginManager/list.asp script not properly sanitizing user-supplied input to an unspecified variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 33336 - Disclosed: 2006-12-27

Description:

Secure Login Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login.asp script not properly sanitizing user-supplied input to the 'sent' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 33337 - Disclosed: 2006-12-27

Description:

Secure Login Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the content.asp script not properly sanitizing user-supplied input to the 'sent' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 33338 - Disclosed: 2006-12-27

Description:

Secure Login Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the members.asp script not properly sanitizing user-supplied input to the 'sent' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 33339 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in DMXReady Secure Login Manager 1.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) set_preferences.asp, (2) send_password_preferences.asp, and (3) SecureLoginManager/list.asp in the Local-Admin Panel; (4) the sent parameter to (a) login.asp, (b) content.asp, and (c) members.asp in the Remote-WebSite; and (5) the sent parameter to applications/SecureLoginManager/inc_secureloginmanager.asp in the Live Demo.

[CLOSE] OSVDB ID : 31519 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : AlstraSoft Web Host Directory allows remote attackers to obtain sensitive information by requesting any invalid URI, which reveals the path in an error message, a different vulnerability than CVE-2006-2617.

[CLOSE] OSVDB ID : 31520 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : AlstraSoft Web Host Directory allows remote attackers to bypass authentication and change the admin password via a direct request to admin/config.

[CLOSE] OSVDB ID : 31521 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : AlstraSoft Web Host Directory stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a backup database via a direct request for admin/backup/db.

[CLOSE] OSVDB ID : 31578 - Disclosed: 2006-12-27

Description:

WordPress contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'file' variable upon submission to the 'templates.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 35713 - Disclosed: 2006-12-27

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in plugins/metasearch/plug.inc.php in Yrch! 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.

[CLOSE] OSVDB ID : 33326 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in LuckyBot 3 allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) run.php or (2) ircbot.class.php.

[CLOSE] OSVDB ID : 34756 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in the BE IT EasyPartner 0.0.9 beta component for Joomla! allows remote attackers to execute arbitrary PHP code via unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 36176 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Direct static code injection vulnerability in chat/login.php in Ultimate PHP Board (UPB) 2.0b1 and earlier allows remote attackers to inject arbitrary PHP code via the username parameter, which is injected into chat/text.php.

[CLOSE] OSVDB ID : 36649 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Efkan Forum 1.0 and earlier store sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for forum.mdb. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 30893 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : ** DISPUTED ** PHP remote file inclusion vulnerability in lib/php/phphtmllib-2.5.4/examples/example6.php for maintain 3.0.0-RC2 allows remote attackers to execute arbitrary PHP code via a URL in the phphtmllib parameter. NOTE: this issue might be in phpHtmlLib. NOTE: CVE disputes this issue for proper installations of maintain, since $phphtmllib is set in includes.inc before being used in example6.php.

[CLOSE] OSVDB ID : 30964 - Disclosed: 2006-12-26

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 32504 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Unrestricted file upload vulnerability in admin/uploads.php in PHP-Update 2.7 and earlier allows remote authenticated users to upload arbitrary PHP scripts to the gfx/ and files/ directories via the userfile parameter.

[CLOSE] OSVDB ID : 32505 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in code/guestadd.php in PHP-Update 2.7 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) newmessage, (2) newname, (3) newwebsite, or (4) newemail parameter.

[CLOSE] OSVDB ID : 31587 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple PHP file inclusion vulnerabilities in src/admin/pt_upload.php in Pagetool 1.07 allow remote attackers to execute arbitrary PHP code via (1) a local filename or FTP/share URI in the config_file parameter or (2) a URL in the ptconf[src] parameter.

[CLOSE] OSVDB ID : 32453 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in pnamazu 2006.02.28 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[CLOSE] OSVDB ID : 31515 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : myprofile.asp in Enthrallweb eCoupons does not properly validate the MM_recordId parameter during profile updates, which allows remote authenticated users to modify certain profile fields of another account by specifying that account's username in a modified MM_recordId parameter.

[CLOSE] OSVDB ID : 32442 - Disclosed: 2006-12-26

Description:

KISGB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'admin.php' script not properly sanitizing user input supplied to the 'default_path_for_themes' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 32443 - Disclosed: 2006-12-26

Description:

KISGB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'upconfig.php' script not properly sanitizing user input supplied to the 'default_path_for_themes' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 32550 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Directory traversal vulnerability in FolderManager/FolderManager.aspx in Hosting Controller 7c allows remote authenticated users to read and modify arbitrary files, and list arbitrary directories via ..\ (dot dot backslash) sequences in the BrowsePath parameter.

[CLOSE] OSVDB ID : 37371 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : phpProfiles before 2.1.1 does not have an index.php or other index file in the (1) image_data, (2) graphics/comm, or (3) users read/write directories, which might allow remote attackers to list directory contents or have other unknown impacts.

[CLOSE] OSVDB ID : 31528 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : SQL injection vulnerability in calendar_detail.asp in Calendar MX BASIC 1.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 31683 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : SQL injection vulnerability in bus_details.asp in Dragon Business Directory - Pro (aka Dragon Internet Business Search Directory - Pro) 3.01.12 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter.

[CLOSE] OSVDB ID : 31684 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : SQL injection vulnerability in admin/admin_mail_adressee.asp in Newsletter MX 1.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter.

[CLOSE] OSVDB ID : 31685 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Jinzora Media Jukebox 2.7 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter in (1) popup.php, (2) rss.php, (3) ajax_request.php, and (4) mediabroadcast.php.

[CLOSE] OSVDB ID : 31686 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Jinzora Media Jukebox 2.7 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter in (1) popup.php, (2) rss.php, (3) ajax_request.php, and (4) mediabroadcast.php.

[CLOSE] OSVDB ID : 31687 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Jinzora Media Jukebox 2.7 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter in (1) popup.php, (2) rss.php, (3) ajax_request.php, and (4) mediabroadcast.php.

[CLOSE] OSVDB ID : 31688 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in Jinzora Media Jukebox 2.7 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter in (1) popup.php, (2) rss.php, (3) ajax_request.php, and (4) mediabroadcast.php.

[CLOSE] OSVDB ID : 35838 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Efkan Forum 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the grup parameter in admin.asp, or the id parameter in (2) default.asp or (3) admin.asp. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. The default.asp/grup vector is already covered by CVE-2006-6794.

[CLOSE] OSVDB ID : 35839 - Disclosed: 2006-12-26

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Efkan Forum 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the grup parameter in admin.asp, or the id parameter in (2) default.asp or (3) admin.asp. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. The default.asp/grup vector is already covered by CVE-2006-6794.