Fisher762

10 exploits Active since Jan 2008
CVE-2008-7117 EXPLOITDB text WRITEUP
WeBid 0.5.4 - Arbitrary CSS File Modification via file Parameter
eledicss.php in WeBid auction script 0.5.4 allows remote attackers to modify arbitrary cascading style sheets (CSS) files via a certain request with the file parameter set to style.css. NOTE: this can probably be leveraged for cross-site scripting (XSS) attacks.
CVE-2008-7116 EXPLOITDB text WRITEUP
WeBid 0.5.4 - SQL Injection via Admin Panel Username Parameter
SQL injection vulnerability in the admin panel (admin/) in WeBid auction script 0.5.4 allows remote attackers to execute arbitrary SQL commands via the username.
CVE-2008-4082 EXPLOITDB text WORKING POC
Brim 2.0.0 - Authenticated SQL Injection via Tasks Plugin Search Action
SQL injection vulnerability in the Tasks plugin in Brim 2.0.0, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via an arbitrary field in a search action to index.php.
CVE-2008-2180 EXPLOITDB text WORKING POC
cpLinks 1.03 - SQL Injection via Admin Username or Search Parameters
Multiple SQL injection vulnerabilities in cpLinks 1.03, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) admin_username parameter (aka the username field) to admin/index.php and the (2) search_text and (3) search_category parameters to search.php. NOTE: some of these details are obtained from third party information.
CVE-2008-7118 EXPLOITDB text WRITEUP
WeBid 0.5.4 - Unauthenticated Sensitive Information Exposure via Direct Request
WeBid auction script 0.5.4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain SQL query logs via a direct request for logs/cron.log.
CVE-2008-0158 EXPLOITDB text WORKING POC
Shop-Script 2.0 - Path Traversal via aux_page Parameter
Directory traversal vulnerability in index.php in Shop-Script 2.0 and possibly other versions allows remote attackers to read arbitrary files via a .. (dot dot) in the aux_page parameter.
CVE-2008-2177 EXPLOITDB text WORKING POC
phpDirectorySource 1.1.06 - SQL Injection via lid or login Parameter
Multiple SQL injection vulnerabilities in phpDirectorySource 1.1.06, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to show.php and the (2) login parameter to admin.php.
CVE-2008-6656 EXPLOITDB text WORKING POC
Open Auto Classifieds 1.4.3b - SQL Injection via Listings ID Parameter or Login Username Field
Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to listings.php and (2) the username field to login.php.
CVE-2008-2181 EXPLOITDB text WORKING POC
cpLinks 1.03 - Cross-Site Scripting via search_text and search_category Parameters
Multiple cross-site scripting (XSS) vulnerabilities in search.php in cpLinks 1.03 allow remote attackers to inject arbitrary web script or HTML via the (1) search_text and (2) search_category parameters. NOTE: the XSS reportedly occurs in a forced SQL error message. NOTE: some of these details are obtained from third party information.
CVE-2008-4083 EXPLOITDB text WORKING POC
Brim 2.0 - Authenticated Cross-Site Scripting via Bookmarks Plugin Name Parameter
Cross-site scripting (XSS) vulnerability in the Bookmarks plugin in Brim 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in an addItemPost action to index.php. NOTE: some of these details are obtained from third party information.