Php Exploits
1,332 exploits tracked across all sources.
Adult Script <1.6 - Auth Bypass
admin/administrator.php in Adult Script 1.6 and earlier sends a redirect to the web browser but does not exit, which allows remote attackers to bypass authentication and obtain administrative credentials via a direct request. NOTE: this can be leveraged for arbitrary code execution through a request to admin/videolinks_view.php.
by Liz0ziM
Neocrome Seditio CMS <121 - SQL Injection
SQL injection vulnerability in plugins/search/search.php in Neocrome Seditio CMS 121 and earlier allows remote attackers to execute arbitrary SQL commands via the pag_sub[] parameter to plug.php.
by InATeam
PHP 4.0.0-4.4.6 and 5.0.0-5.2.1 - CRLF Injection via Mail Function Header Parameters
CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.
by Stefan Esser
RunCMS 1.6 - 'disclaimer.php' Remote File Overwrite
by BugReport.IR
Sciurus Hosting Panel - Code Injection
Direct static code injection vulnerability in acp/savenews.php in Sciurus Hosting Panel, possibly 2.0.3, allows remote attackers to inject arbitrary PHP code via the filecontents parameter, which can be executed by accessing includes/news.php.
by Liz0ziM
IceBB 1.0-rc6 - SQL Injection via X-Forwarded-For HTTP Header
SQL injection vulnerability in admin/index.php in IceBB 1.0-rc6 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header.
by Gu1ll4um3r0m41n
KDE Konqueror < 3.5.6 - Denial of Service via Large HTTP Cookie Parameters
KDE Konqueror 3.5.6 and earlier allows remote attackers to cause a denial of service (crash) via large HTTP cookie parameters.
by laurent gaffie
JBC Explorer < 7.20_rc1 - Unauthenticated Authentication Bypass via auth.php Parameter Manipulation
dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not require authentication, which allows remote attackers to (1) delete auth.inc.php via the suppr parameter, and (2) re-create the auth.inc.php file with contents that specify a new account name and password for JBC Explorer via the login and password parameters.
by DarkFig
JBC Explorer <7.20 RC1 - Code Injection
Direct static code injection vulnerability in dirsys/modules/config/post.php in JBC Explorer 7.20 RC1 and earlier allows remote authenticated administrators to inject arbitrary PHP code via the DEBUG parameter, which can be executed by accessing config.inc.php. NOTE: this can be exploited by unauthenticated remote attackers by leveraging CVE-2007-5913.
by DarkFig
PHP < 5.2.4 - OS Command Injection via COM Functions
The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control Compatibility Flags, executing programs via a function in compatUI.dll, invoking wscript.shell via wscript.exe, invoking Scripting.FileSystemObject via wshom.ocx, and adding users via a function in shgina.dll, related to the com_load_typelib function.
by shinnai
Lussumo Vanilla < 1.1.3 - SQL Injection via CategoryID Parameter
Multiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the CategoryID parameter to ajax/sortcategories.php or (2) an unspecified vector to ajax/sortroles.php.
by InATeam
Lussumo Vanilla < 1.1.3 - Unauthenticated Unauthorized Sort Operations
Lussumo Vanilla 1.1.3 and earlier does not require admin privileges for (1) ajax/sortcategories.php and (2) ajax/sortroles.php, which allows remote attackers to conduct unauthorized sort operations and other activities.
by InATeam
ionCube Loader 6.5 for PHP 5.2.4 - Safe Mode and Function Restriction Bypass via ioncube_read_file
ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP 5.2.4 does not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by reading arbitrary files via the ioncube_read_file function.
by shinnai
php-stats 0.1.9.2 - SQL Injection via ip or t Parameter
Multiple SQL injection vulnerabilities in php-stats.recjs.php in Php-Stats 0.1.9.2 allow remote attackers to execute arbitrary SQL commands via the (1) ip or (2) t parameter.
by EgiX
Php-Stats 0.1.9.2 - Authenticated Remote Code Execution via Eval Injection in Admin Options
Multiple eval injection vulnerabilities in Php-Stats 0.1.9.2 allow remote authenticated administrators to execute arbitrary code by writing PHP sequences to the php-stats-options record in the _options table, which is used in an eval function call by (1) admin.php, (2) click.php, (3) download.php, and unspecified other files, as demonstrated by modifying _options through a backup restore action in admin.php.
by EgiX
LightBlog 8.4.1.1 - Authenticated Privilege Escalation via cp_memberedit.php
cp_memberedit.php in LightBlog 8.4.1.1 does not check for administrative credentials when processing an admin action, which allows remote authenticated users to increase the privileges of any account.
by BlackHawk
PHP Homepage M 1.0 - SQL Injection via Galerie.php ID Parameter
SQL injection vulnerability in galerie.php in PHP Homepage M (phpHPm) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.
by [PHCN] Mahjong
CMS Creamotion - Remote File Inclusion via cfg[document_uri] Parameter
Multiple PHP remote file inclusion vulnerabilities in CMS Creamotion allow remote attackers to execute arbitrary PHP code via a URL in the cfg[document_uri] parameter to (1) _administration/securite.php and (2) _administration/gestion_configurations/save_config.php.
by HACKERS PAL
PHP-Fusion Expanded Calendar Module - SQL Injection via sel Parameter
SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter.
by Matrix86
Zomplog <= 3.8.1 - Authenticated Arbitrary File Upload via admin/upload_files.php
Unrestricted file upload vulnerability in admin/upload_files.php in Zomplog 3.8.1 and earlier allows remote authenticated administrators to upload and execute arbitrary .php files by sending a modified MIME type. NOTE: this can be exploited by unauthenticated attackers by leveraging CVE-2007-5230.
by InATeam
Zomplog <= 3.8.1 - Unauthenticated Administrative Action Execution via Direct Request
admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for administrative credentials, which allows remote attackers to perform administrative actions via a direct request. NOTE: this can be leveraged for code execution by exploiting CVE-2007-5231.
by InATeam
zomplog <= 3.8.1 - Unauthenticated Sensitive Information Exposure via Upload Directory
Zomplog 3.8.1 and earlier stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to download files that were uploaded by users, as demonstrated by obtaining a directory listing via a direct request to /upload and then retrieving individual files. NOTE: in a non-default configuration, the directory listing is denied, but filenames may be predicable.
by InATeam
Shop-Script < 2.0 - Unauthenticated Admin Panel Access via Improper Redirect Handling
admin.php in Shop-Script FREE 2.0 and earlier sends a redirect to the web browser but does not exit when administrative credentials are missing, which allows remote attackers to access the admin panel.
by InATeam
Shop-Script FREE <= 2.0 - Remote Code Execution via Appearance Configuration Parameters
Direct static code injection vulnerability in includes/admin/sub/conf_appearence.php in Shop-Script FREE 2.0 and earlier allows remote attackers to inject arbitrary PHP code into cfg/appearence.inc.php via a save_appearence action in admin.php, as demonstrated with the (1) productscount, (2) colscount, and (3) darkcolor parameters.
by InATeam
Gelatocms - SQL Injection
SQL injection vulnerability in classes/gelato.class.php in Gelato allows remote attackers to execute arbitrary SQL commands via the post parameter to index.php.
by s0cratex
By Source