{"type": "osvdb", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28530", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 5.1}, "viewCount": 0, "edition": 1, "reporter": "Charles Nelwan a.k.a Cmaster4(bugtraq_indo@yahoo.com)", "title": "Dolphin vkiss.php dir[inc] Variable Remote File Inclusion", "affectedSoftware": [{"operator": "eq", "version": "5.1", "name": "Dolphin"}], "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2017-04-28T13:20:24", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4189"]}, {"type": "osvdb", "idList": ["OSVDB:28522", "OSVDB:28496", "OSVDB:28525", "OSVDB:28474", "OSVDB:28515", "OSVDB:28511", "OSVDB:28473", "OSVDB:28518", "OSVDB:28526", "OSVDB:28521"]}], "modified": "2017-04-28T13:20:24", "rev": 2}, "vulnersScore": 6.0}, "references": [], "id": "OSVDB:28530", "lastseen": "2017-04-28T13:20:24", "cvelist": ["CVE-2006-4189"], "modified": "2006-08-14T02:49:04", "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the vkiss.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the vkiss.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/vkiss.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n"}

{"cve": [{"lastseen": "2020-10-03T11:48:17", "description": "Multiple PHP remote file inclusion vulnerabilities in Dolphin 5.1 allow remote attackers to execute arbitrary PHP code via a URL in the dir[inc] parameter in (1) index.php, (2) aemodule.php, (3) browse.php, (4) cc.php, (5) click.php, (6) faq.php, (7) gallery.php, (8) im.php, (9) inbox.php, (10) join_form.php, (11) logout.php, (12) messages_inbox.php, and many other scripts.", "edition": 3, "cvss3": {}, "published": "2006-08-17T01:04:00", "title": "CVE-2006-4189", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4189"], "modified": "2017-07-20T01:32:00", "cpe": ["cpe:/a:boonex:dolphin:5.1"], "id": "CVE-2006-4189", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4189", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:boonex:dolphin:5.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the news.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the news.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/news.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28501", "id": "OSVDB:28501", "type": "osvdb", "title": "Dolphin news.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the outbox.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the outbox.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/outbox.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28503", "id": "OSVDB:28503", "type": "osvdb", "title": "Dolphin outbox.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the polls.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the polls.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/polls.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28506", "id": "OSVDB:28506", "type": "osvdb", "title": "Dolphin polls.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the affiliates.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the affiliates.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/affiliates.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28470", "id": "OSVDB:28470", "type": "osvdb", "title": "Dolphin affiliates.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the browse.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the browse.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/browse.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28472", "id": "OSVDB:28472", "type": "osvdb", "title": "Dolphin browse.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the profile_video.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the profile_video.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/profile_video.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28514", "id": "OSVDB:28514", "type": "osvdb", "title": "Dolphin profile_video.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the messages_inbox.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the messages_inbox.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/messages_inbox.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28499", "id": "OSVDB:28499", "type": "osvdb", "title": "Dolphin messages_inbox.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the news_view.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the news_view.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/news_view.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28502", "id": "OSVDB:28502", "type": "osvdb", "title": "Dolphin news_view.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the activation_email.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the activation_email.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/activation_email.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28468", "id": "OSVDB:28468", "type": "osvdb", "title": "Dolphin activation_email.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4189"], "edition": 1, "description": "## Vulnerability Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the privacy.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nDolphin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the privacy.php script not properly sanitizing user input supplied to the 'dir[inc]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/privacy.php?dir[inc]=[Evil Script]\n## References:\nVendor URL: http://www.boonex.com/products/dolphin/\nSecurity Tracker: 1016692\n[Secunia Advisory ID:21535](https://secuniaresearch.flexerasoftware.com/advisories/21535/)\nISS X-Force ID: 28363\nFrSIRT Advisory: ADV-2006-3346\n[CVE-2006-4189](https://vulners.com/cve/CVE-2006-4189)\n", "modified": "2006-08-14T02:49:04", "published": "2006-08-14T02:49:04", "href": "https://vulners.com/osvdb/OSVDB:28507", "id": "OSVDB:28507", "type": "osvdb", "title": "Dolphin privacy.php dir[inc] Variable Remote File Inclusion", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}