Hamid Ebadi

24 exploits Active since Feb 2006
CVE-2006-3184 EXPLOITDB text WORKING POC
ASP Stats Generator <2.1.2 - Code Injection
Direct static code injection vulnerability in ASP Stats Generator before 2.1.2 allows remote authenticated attackers to execute arbitrary ASP code via the strAsgSknPageBgColour parameter to settings_skin.asp, which is stored in inc_skin_file.asp.
CVE-2008-0337 EXPLOITDB text WRITEUP
MiniWeb HTTP Server 0.8.19 - Remote Code Execution via Long URI
Heap-based buffer overflow in the _mwProcessReadSocket function in http.c in MiniWeb HTTP Server 0.8.19 allows remote attackers to execute arbitrary code via a long URI.
CVE-2007-1851 EXPLOITDB text WORKING POC
Really Simple PHP and Ajax 2007-03-23 - Remote File Inclusion via __class Parameter
Multiple directory traversal vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the __class parameter to (1) Controller_v4.php or (2) Controller_v5.php.
CVE-2008-0338 EXPLOITDB text WRITEUP
MiniWeb HTTP Server 0.8.19 - Path Traversal via Partially Encoded Dot Dot Sequences
Directory traversal vulnerability in the mwGetLocalFileName function in http.c in MiniWeb HTTP Server 0.8.19 allows remote attackers to read arbitrary files and list arbitrary directories via a (1) .%2e (partially encoded dot dot) or (2) %2e%2e (encoded dot dot) in the URI.
CVE-2008-6938 EXPLOITDB text WRITEUP
Pi3Web < 2.0.3_pl1 - Denial of Service via ISAPI Directory File Request
Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop application and without using the Pi3Web/Conf/Intenet.pi3, allows remote attackers to cause a denial of service (crash or hang) and obtain the full pathname of the server via a request to a file in the ISAPI directory that is not an executable DLL, which triggers the crash when the DLL load fails, as demonstrated using Isapi\users.txt.
CVE-2006-3361 EXPLOITDB text WORKING POC
stud.ip < 1.3.0-2 - Remote File Inclusion via _PHPLIB[libdir] or ABSOLUTE_PATH_STUDIP Parameter
PHP remote file inclusion vulnerability in Stud.IP 1.3.0-2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the (1) _PHPLIB[libdir] parameter in studip-phplib/oohforms.inc and (2) ABSOLUTE_PATH_STUDIP parameter in studip-htdocs/archiv_assi.php.
CVE-2006-0721 EXPLOITDB text WORKING POC
RunCMS 1.2 and 1.3a - SQL Injection via pmlite.php to_userid Parameter
SQL injection vulnerability in pmlite.php in RunCMS 1.2 and 1.3a allows remote attackers to execute arbitrary SQL commands via the to_userid parameter.
CVE-2007-1982 EXPLOITDB text WORKING POC
really_simple_php_and_ajax < 2007-03-23 - Remote File Inclusion
Multiple PHP remote file inclusion vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) __IncludeFilePHPClass, (2) __ClassPath, and (3) __class parameters to (a) rspa/framework/Controller_v5.php, and (b) rspa/framework/Controller_v4.php.
CVE-2007-1076 EXPLOITDB text WRITEUP
phpTrafficA <1.4.1 - Path Traversal
Multiple directory traversal vulnerabilities in phpTrafficA 1.4.1, and possibly earlier, allow remote attackers to include arbitrary local files via a .. (dot dot) in the (1) file parameter to plotStat.php and the (2) lang parameter to banref.php.
CVE-2007-1076 EXPLOITDB text WRITEUP
phpTrafficA <1.4.1 - Path Traversal
Multiple directory traversal vulnerabilities in phpTrafficA 1.4.1, and possibly earlier, allow remote attackers to include arbitrary local files via a .. (dot dot) in the (1) file parameter to plotStat.php and the (2) lang parameter to banref.php.
CVE-2006-1081 EXPLOITDB text WORKING POC
Jonathan Beckett PluggedOut Nexus 0.1 - SQL Injection via Forgotten Password Email Parameter
SQL injection vulnerability in forgotten_password.php in Jonathan Beckett PluggedOut Nexus 0.1 allows remote attackers to execute arbitrary SQL commands via the email parameter.
CVE-2006-7021 EXPLOITDB text WORKING POC
Plume CMS 1.1.3 - Remote Code Execution via _PX_config[manager_path] Parameter
PHP remote file inclusion vulnerability in manager/tools/link/dbinstall.php in Plume CMS 1.1.3 allows remote attackers to execute arbitrary PHP code via a URL in the _PX_config[manager_path] parameter.
CVE-2006-1773 EXPLOITDB text WORKING POC
phpkit < 1.6.1 - SQL Injection via contentid Parameter
SQL injection vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to execute arbitrary SQL commands via the contentid parameter, possibly involving content/news.php.
CVE-2009-4018 EXPLOITDB php WORKING POC
PHP <5.2.11 & 5.3.x <5.3.1 - Command Injection
The proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.
CVE-2007-2337 EXPLOITDB text WRITEUP
Exponent CMS <= 0.96.6 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS 0.96.6 Alpha and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter to (a) magpie_debug.php and (b) magpie_simple.php in external/magpierss/scripts/, the (2) rss_url parameter to (c) magpie_slashbox.php in external/magpierss/scripts/, and the (3) body parameter to the (d) weblogmodule (aka Weblog Comments) module.
CVE-2007-2337 EXPLOITDB text WORKING POC
Exponent CMS <= 0.96.6 - Cross-Site Scripting via Multiple Parameters
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS 0.96.6 Alpha and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter to (a) magpie_debug.php and (b) magpie_simple.php in external/magpierss/scripts/, the (2) rss_url parameter to (c) magpie_slashbox.php in external/magpierss/scripts/, and the (3) body parameter to the (d) weblogmodule (aka Weblog Comments) module.
CVE-2007-2252 EXPLOITDB text WRITEUP
Exponent CMS 0.96.6 Alpha - Directory Traversal via iconspopup.php icodir Parameter
Directory traversal vulnerability in iconspopup.php in Exponent CMS 0.96.6 Alpha and earlier allows remote attackers to obtain sensitive information via a .. (dot dot) in the icodir parameter.
CVE-2006-2339 EXPLOITDB text WORKING POC
evoTopsites 2.x and evoTopsites Pro 2.x - SQL Injection via cat_id or id Parameter
SQL injection vulnerability in index.php in evoTopsites 2.x and evoTopsites Pro 2.x allows remote attackers to execute arbitrary SQL commands via the (1) cat_id and (2) id parameters.
CVE-2006-0660 EXPLOITDB text WRITEUP
FarsiNews 2.5 - Directory Traversal and Arbitrary File Read via Archive Parameter
Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path disclosure via ".." or invalid names in the archive parameter to index.php, or (2) include arbitrary files via the template parameter to show_archives.php.
CVE-2006-0502 EXPLOITDB text WRITEUP
FarsiNews < 2.1_beta2 - Remote File Inclusion via loginout.php cutepath Parameter
PHP remote file inclusion vulnerability in loginout.php in FarsiNews 2.1 Beta 2 and earlier, with register_globals enabled, allows remote attackers to include arbitrary files via a URL in the cutepath parameter.
EIP-2026-106301 EXPLOITDB php WORKING POC
CuteNews 1.4.1 - 'function.php' Local File Inclusion
EIP-2026-105564 EXPLOITDB text WORKING POC
Blursoft Blur6ex 0.3.462 - 'index.php' Local File Inclusion
CVE-2008-5498 EXPLOITDB text WORKING POC
PHP < 5.2.8 - Exposure of Sensitive Information via imageRotate Function
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
CVE-2006-3580 EXPLOITDB text WORKING POC
asp_stats_generator < 2.1.1 - SQL Injection via order Parameter
SQL injection vulnerability in pages.asp in ASP Stats Generator before 2.1.2 allows remote attackers to execute arbitrary SQL commands via the order parameter.