{"id": "CVE-2007-1790", "bulletinFamily": "NVD", "title": "CVE-2007-1790", "description": "Multiple PHP remote file inclusion vulnerabilities in Kaqoo Auction Software Free Edition allow remote attackers to execute arbitrary PHP code via a URL in the install_root parameter to (1) support.inc.php, (2) function.inc.php, (3) rdal_object.inc.php, (4) rdal_editor.inc.php. (5) login.inc.php, (6) request.inc.php, and (7) categories.inc.php in include/core/; (8) save.inc.php, (9) preview.inc.php, (10) edit_item.inc.php, (11) new_item.inc.php, and (12) item_info.inc.php in include/display/item/; (13) search.inc.php, (14) item_edit.inc.php, (15) register_succsess.inc.php, (16) context_menu.inc.php, (17) item_repost.inc.php, (18) balance.inc.php, (19) featured.inc.php, (20) user.inc.php, (21) buynow.inc.php, (22) install_complete.inc.php, (23) fees_info.inc.php, (24) user_feedback.inc.php, (25) admin_balance.inc.php, (26) activate.inc.php, (27) user_info.inc.php, (28) member.inc.php, (29) add_bid.inc.php, (30) items_filter.inc.php, (31) my_info.inc.php, (32) register.inc.php, (33) leave_feedback.inc.php, and (34) user_auctions.inc.php in include/display/; and (35) design/form.inc.php, (36) processor.inc.php, (37) interfaces.inc.php (38) left_menu.inc.php, (39) login.inc.php, and (40) categories.inc.php in include/.", "published": "2007-03-31T06:19:00", "modified": "2017-10-10T21:31:59", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1790", "reporter": "NVD", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/33335", "https://www.exploit-db.com/exploits/3607", "http://www.vupen.com/english/advisories/2007/1180", "http://www.securityfocus.com/bid/23211"], "cvelist": ["CVE-2007-1790"], "type": "cve", "lastseen": "2017-10-11T11:07:05", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:kaqoo:kaqoo_auction_software:::free"], "cvelist": ["CVE-2007-1790"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Multiple PHP remote file inclusion vulnerabilities in Kaqoo Auction Software Free Edition allow remote attackers to execute arbitrary PHP code via a URL in the install_root parameter to (1) support.inc.php, (2) function.inc.php, (3) rdal_object.inc.php, (4) rdal_editor.inc.php. (5) login.inc.php, (6) request.inc.php, and (7) categories.inc.php in include/core/; (8) save.inc.php, (9) preview.inc.php, (10) edit_item.inc.php, (11) new_item.inc.php, and (12) item_info.inc.php in include/display/item/; (13) search.inc.php, (14) item_edit.inc.php, (15) register_succsess.inc.php, (16) context_menu.inc.php, (17) item_repost.inc.php, (18) balance.inc.php, (19) featured.inc.php, (20) user.inc.php, (21) buynow.inc.php, (22) install_complete.inc.php, (23) fees_info.inc.php, (24) user_feedback.inc.php, (25) admin_balance.inc.php, (26) activate.inc.php, (27) user_info.inc.php, (28) member.inc.php, (29) add_bid.inc.php, (30) items_filter.inc.php, (31) my_info.inc.php, (32) register.inc.php, (33) leave_feedback.inc.php, and (34) user_auctions.inc.php in include/display/; and (35) design/form.inc.php, (36) processor.inc.php, (37) interfaces.inc.php (38) left_menu.inc.php, (39) login.inc.php, and (40) categories.inc.php in include/.", "edition": 1, "enchantments": {}, "hash": "c36b5705bec1c644cb8491ebf74cd4ad7023bf7aee007f5979a492ec0be5975c", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "0077e9e7d0a154acd4322336686d1ec7", "key": "modified"}, {"hash": "11a37ce12b7bb6a1693f8e0b5fdcbd75", "key": "published"}, {"hash": "f1a12dd55a9bd68bdb4fbf9ea5737ce7", "key": "references"}, {"hash": "98eea72defe61d210fb749649df4af99", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6a5b39ee5a9deda5686b1c8c4dbe8895", "key": "description"}, {"hash": "5ec52bbe9e8040959857f0e14a9193b4", "key": "title"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8aea9e3428b7216136b7f4e08d927ea1", "key": "cpe"}, {"hash": "d7ff061b683df5966b014bd58c57e28f", "key": "href"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1790", "id": "CVE-2007-1790", "lastseen": "2016-09-03T08:40:10", "modified": "2011-09-08T00:00:00", "objectVersion": "1.2", "published": "2007-03-31T06:19:00", "references": ["http://xforce.iss.net/xforce/xfdb/33335", "http://www.milw0rm.com/exploits/3607", "http://www.vupen.com/english/advisories/2007/1180", "http://www.securityfocus.com/bid/23211"], "reporter": "NVD", "scanner": [], "title": "CVE-2007-1790", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T08:40:10"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:kaqoo:kaqoo_auction_software:::free"], "cvelist": ["CVE-2007-1790"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Multiple PHP remote file inclusion vulnerabilities in Kaqoo Auction Software Free Edition allow remote attackers to execute arbitrary PHP code via a URL in the install_root parameter to (1) support.inc.php, (2) function.inc.php, (3) rdal_object.inc.php, (4) rdal_editor.inc.php. (5) login.inc.php, (6) request.inc.php, and (7) categories.inc.php in include/core/; (8) save.inc.php, (9) preview.inc.php, (10) edit_item.inc.php, (11) new_item.inc.php, and (12) item_info.inc.php in include/display/item/; (13) search.inc.php, (14) item_edit.inc.php, (15) register_succsess.inc.php, (16) context_menu.inc.php, (17) item_repost.inc.php, (18) balance.inc.php, (19) featured.inc.php, (20) user.inc.php, (21) buynow.inc.php, (22) install_complete.inc.php, (23) fees_info.inc.php, (24) user_feedback.inc.php, (25) admin_balance.inc.php, (26) activate.inc.php, (27) user_info.inc.php, (28) member.inc.php, (29) add_bid.inc.php, (30) items_filter.inc.php, (31) my_info.inc.php, (32) register.inc.php, (33) leave_feedback.inc.php, and (34) user_auctions.inc.php in include/display/; and (35) design/form.inc.php, (36) processor.inc.php, (37) interfaces.inc.php (38) left_menu.inc.php, (39) login.inc.php, and (40) categories.inc.php in include/.", "edition": 2, "enchantments": {}, "hash": "ee8c7b836875d1faee76fe8d15159d118e94f18f2ffc67c4dffb935d45d84f9a", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "11a37ce12b7bb6a1693f8e0b5fdcbd75", "key": "published"}, {"hash": "be5022a8788b13977d38df40bec48d45", "key": "references"}, {"hash": "98eea72defe61d210fb749649df4af99", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6a5b39ee5a9deda5686b1c8c4dbe8895", "key": "description"}, {"hash": "5ec52bbe9e8040959857f0e14a9193b4", "key": "title"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8aea9e3428b7216136b7f4e08d927ea1", "key": "cpe"}, {"hash": "d7ff061b683df5966b014bd58c57e28f", "key": "href"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "47c594781a1a79f94bb4b7fc7651b390", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1790", "id": "CVE-2007-1790", "lastseen": "2017-07-29T11:21:56", "modified": "2017-07-28T21:30:59", "objectVersion": "1.3", "published": "2007-03-31T06:19:00", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/33335", "http://www.milw0rm.com/exploits/3607", "http://www.vupen.com/english/advisories/2007/1180", "http://www.securityfocus.com/bid/23211"], "reporter": "NVD", "scanner": [], "title": "CVE-2007-1790", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-07-29T11:21:56"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "8aea9e3428b7216136b7f4e08d927ea1"}, {"key": "cvelist", "hash": "98eea72defe61d210fb749649df4af99"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "6a5b39ee5a9deda5686b1c8c4dbe8895"}, {"key": "href", "hash": "d7ff061b683df5966b014bd58c57e28f"}, {"key": "modified", "hash": "08c9497023b2af2888b4c672105786d5"}, {"key": "published", "hash": "11a37ce12b7bb6a1693f8e0b5fdcbd75"}, {"key": "references", "hash": "fb47867a73c7837384be2747ac2f98d9"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "5ec52bbe9e8040959857f0e14a9193b4"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "3cda6bc71e8c91cfc719fa15ace10b69108bd1f4a3a221432f75035f2a0d2903", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:kaqoo:kaqoo_auction_software:::free"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}

{"result": {"osvdb": [{"id": "OSVDB:34557", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/display/search.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/search.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/search.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/display/search.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34557", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34553", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/display/item/preview.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item/preview.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item/preview.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/display/item/preview.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34553", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34580", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/processor.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/processor.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/processor.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/processor.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34580", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34581", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/interfaces.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/interfaces.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/interfaces.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/interfaces.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34581", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34576", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/display/register.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/register.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/register.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/display/register.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34576", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34570", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/display/activate.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/activate.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/activate.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/display/activate.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34570", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34558", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/display/item_edit.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item_edit.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item_edit.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/display/item_edit.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34558", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34556", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/display/item/item_info.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item/item_info.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item/item_info.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/display/item/item_info.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34556", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34551", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/core/categories.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/core/categories.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/core/categories.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/core/categories.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34551", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:34554", "type": "osvdb", "title": "Kaqoo Auction Software Free Edition include/display/item/edit_item.inc.php install_root Variable Remote File Inclusion", "description": "## Vulnerability Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item/edit_item.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nKaqoo Auction Software (Free Edition) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the include/display/item/edit_item.inc.php script not properly sanitizing user input supplied to the 'install_root' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/include/display/item/edit_item.inc.php?install_root=[Shell]\n## References:\nVendor URL: http://kaqoo.com/\n[Secunia Advisory ID:24696](https://secuniaresearch.flexerasoftware.com/advisories/24696/)\nOther Advisory URL: http://milw0rm.com/exploits/3607\nISS X-Force ID: 33335\nFrSIRT Advisory: ADV-2007-1180\n[CVE-2007-1790](https://vulners.com/cve/CVE-2007-1790)\nBugtraq ID: 23211\n", "published": "2007-03-29T07:49:37", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:34554", "cvelist": ["CVE-2007-1790"], "lastseen": "2017-04-28T13:20:30"}], "exploitdb": [{"id": "EDB-ID:3607", "type": "exploitdb", "title": "Kaqoo Auction install_root Multiple Remote File Include Vulnerabilities", "description": "Kaqoo Auction (install_root) Multiple Remote File Include Vulnerabilities. CVE-2007-1790. Webapps exploit for php platform", "published": "2007-03-29T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/3607/", "cvelist": ["CVE-2007-1790"], "lastseen": "2016-01-31T18:53:54"}]}}