Php Exploits
1,332 exploits tracked across all sources.
tcexam < 4.0.011 - Unauthenticated Arbitrary File Write via SessionUserLang Cookie
shared/code/tce_tmx.php in TCExam 4.0.011 and earlier allows remote attackers to create arbitrary PHP files in cache/ by placing file contents and directory traversal manipulations into a SessionUserLang cookie to public/code/index.php.
by rgod
TCExam < 4.0.011 - Cross-Site Scripting via Dynamic Variable Evaluation
Dynamic variable evaluation vulnerability in shared/config/tce_config.php in TCExam 4.0.011 and earlier allows remote attackers to conduct cross-site scripting (XSS) and possibly other attacks by modifying critical variables such as $_SERVER, as demonstrated by injecting web script via the _SERVER[SCRIPT_NAME] parameter.
by rgod
freePBX 2.2.x - Stored Cross-Site Scripting via SIP Protocol Fields
Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, (3) Call-ID, (4) User-Agent, and unspecified other SIP protocol fields, which are stored in /var/log/asterisk/full and displayed by admin/modules/logfiles/asterisk-full-log.php.
by XenoMuta
Fully Modded phpBB2 - Remote File Inclusion via phpbb_root_path Parameter
PHP remote file inclusion vulnerability in subscp.php in Fully Modded phpBB2 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
by HACKERS PAL
ShoutPro < 1.5.2 - Remote Code Execution via Shout Parameter
Direct static code injection vulnerability in shoutbox.php in ShoutPro 1.5.2 allows remote attackers to inject arbitrary PHP code into shouts.php via the shout parameter.
by Gammarays
myblog < 0.9.8 - Unauthenticated Authentication Bypass via Admin Cookie Parameter
MyBlog 0.9.8 and earlier allows remote attackers to bypass authentication requirements via the admin cookie parameter to certain admin files, as demonstrated by admin/settings.php.
by BlackHawk
XAMPP < 1.6.0a - Remote Code Execution via ADONewConnection Host Parameter
The ADONewConnection Connect function in adodb.php in XAMPP 1.6.0a and earlier for Windows uses untrusted input for the database server hostname, which allows remote attackers to trigger a library buffer overflow and execute arbitrary code via a long host parameter, or have other unspecified impact. NOTE: it could be argued that this is an issue in mssql_connect (CVE-2007-1411.1) in PHP, or an issue in the ADOdb Library, and the proper fix should be in one of these products; if so, then this should not be treated as a vulnerability in XAMPP.
by rgod
XAMPP 1.6.0a - SQL Injection via Test Scripts
Multiple SQL injection vulnerabilities in XAMPP 1.6.0a for Windows allow remote attackers to execute arbitrary SQL commands via unspecified vectors in certain test scripts.
by rgod
papoo < 3.02 - SQL Injection via kontakt.php menuid Parameter
SQL injection vulnerability in kontakt.php in Papoo 3.02 and earlier allows remote attackers to execute arbitrary SQL commands via the menuid parameter, a different vector than CVE-2005-4478.
by Kacper
frogss_cms < 0.7 - SQL Injection via dzial or t Parameter
Multiple SQL injection vulnerabilities in Frogss CMS 0.7 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) dzial parameter to (a) katalog.php, or the (2) t parameter to (b) forum.php or (c) forum/viewtopic.php, different vectors than CVE-2006-4536.
by Kacper
Chatness <2.5.3 - Privilege Escalation
Stephen Craton (aka WiredPHP) Chatness 2.5.3 and earlier stores usernames and unencrypted passwords in (1) classes/vars.php and (2) classes/varstuff.php, and recommends 0666 or 0777 permissions for these files, which allows local users to gain privileges by reading the files, and allows remote attackers to obtain credentials via a direct request for admin/options.php.
by Gammarays
InoutMailingListManager <3.1 - Open Redirect
InoutMailingListManager 3.1 and earlier sends a Location redirect header but does not exit after an authorization check fails, which allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by ignoring the redirect.
by BlackHawk
InoutMailingListManager < 3.1 - Unauthenticated Arbitrary PHP File Upload and Remote Code Execution via Admin Cookie
InoutMailingListManager 3.1 and earlier allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by setting an arbitrary admin cookie.
by BlackHawk
FCKeditor 2.0-2.2 - Unauthenticated Arbitrary File Upload via Extension Blacklist Bypass
Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.
by BlackHawk
InoutMailingListManager < 3.1 - SQL Injection via id Parameter
Multiple SQL injection vulnerabilities in InoutMailingListManager 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to changename.php and other unspecified vectors.
by BlackHawk
SmodCMS < 2.10 - SQL Injection via Slownik Module ssid Parameter
SQL injection vulnerability in index.php in the slownik module in SmodCMS 2.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ssid parameter.
by Kacper
SmodBIP < 1.06 - SQL Injection via Zoom Parameter
SQL injection vulnerability in index.php in the aktualnosci module in SmodBIP 1.06 and earlier allows remote attackers to execute arbitrary SQL commands via the zoom parameter, possibly related to home.php.
by Kacper
phpMyNewsletter < 0.8_beta_5 - Unauthenticated Configuration Modification and Code Injection via saveGlobalconfig Action
admin/index.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier provides access to configuration modification before login, which allows remote attackers to cause a denial of service (loss of configuration data), and possibly perform direct static code injection, via a saveGlobalconfig action.
by BlackHawk
phpMyNewsletter <0.8 beta5 - Open Redirect
admin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier prints a Location header but does not exit when administrative credentials are missing, which allows remote attackers to compose an e-mail message via a post with the subject, message, format, and list_id fields; and send the message via a direct request for the MsgId value under admin/.
by BlackHawk
MyBB < 1.2.3 - SQL Injection via Client-IP HTTP Header
SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
by DarkFig
Magic Winmail Server < 4.2 - Directory Traversal and Arbitrary File Write via sid Parameter
Directory traversal vulnerability in admin/main.php in AMAX Magic Winmail Server 4.2 (build 0824) and earlier allows remote attackers to overwrite arbitrary files with session information via the sid parameter.
by rgod
PHP 4 < 4.4.5 and PHP 5 < 5.2.1 - Integer Overflow in msg_receive Function
Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms, allows context-dependent attackers to execute arbitrary code via certain maxsize values, as demonstrated by 0xffffffff.
by Stefan Esser
PHP 4 < 4.4.5 and 5 < 5.2.1 - Buffer Overflow in imap_mail_compose
Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.
by Stefan Esser
picture-engine < 1.2.0 - SQL Injection via wall.php cat Parameter
SQL injection vulnerability in wall.php in Picture-Engine 1.2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter.
by Kacper
By Source