Code injection

Direct static code injection vulnerability in startsession.php in Flat Chat 2.0 allows remote attackers to execute arbitrary PHP code via the Chat Name field, which is inserted into online.txt and included by users.php. NOTE: some of these details are obtained from third party information...

CVE-2007-1394

The CVE-2007-1394 entry concerns Flat Chat 2.0. It describes a direct static code injection vulnerability in startsession.php, where the Chat Name field is inserted into online.txt and subsequently included by users.php. The root cause is unsafely incorporating user-provided input into executable...

CVE-2007-1073

CVE-2007-1073 involves a static code injection in mcRefer’s install.php. The bgcolor parameter is inserted into mcrconf.inc.php, enabling remote PHP code execution. The vulnerability affects install.php in mcRefer and can lead to complete compromise of affected systems. The available documents do...

Code injection

Multiple static code injection vulnerabilities in error.php in GuppY 4.5.16 and earlier allow remote attackers to inject arbitrary PHP code into a .inc file in the data/ directory via 1 a REMOTEADDR cookie or 2 a cookie specifying an element of the msg array with an error number in the first...

CVE-2007-0639

GuppY 4.5.16 and earlier is affected by multiple static code injection vulnerabilities in error.php that let remote attackers inject arbitrary PHP code into a data/.inc file via cookies (REMOTE_ADDR or msg[...] with an error dimension). Exploitation would impact confidentiality, integrity, and av...

Code injection

Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the Username to login.php, which is injected into an error message in security.log.php, which can then be accessed using viewlog.php...

CVE-2007-0115

CVE-2007-0115 affects Coppermine Photo Gallery 1.4.10 and earlier. The vulnerability is a static code injection that lets remote authenticated administrators run arbitrary PHP code. The attack path involves injecting PHP code via the Username field to login.php, which is injected into an error me...

CVE-2006-6255

Direct static code injection vulnerability in util.php in the NukeAI 0.0.3 Beta module for PHP-Nuke, aka Program E is an AIML chatterbot, allows remote attackers to upload and execute arbitrary PHP code via a filename with a .php extension in the filename parameter and code in the moreinfo...

CVE-2006-6255

The CVE-2006-6255 entry concerns the NukeAI 0.0.3 Beta module for PHP-Nuke, where a vulnerability in util.php allows remote code execution. An attacker can upload and execute arbitrary PHP code by supplying a filename with a .php extension in the filename parameter and code in the moreinfo parame...

CVE-2006-5837

CVE-2006-5837 describes a static code injection in the SimpleChat 1.0.0 module for iWare Professional CMS. The vulnerability resides in chat_panel.php, allowing remote attackers to inject arbitrary PHP code into chat_log.php via the msg parameter. The CVSSv2 vector is AV:N/AC:L/Au:N/C:P/I:P/A:P w...

CVE-2006-5131

module/shout/jafshout.php aka the shoutbox in ph03y3nk just another flat file JAF CMS 4.0 RC1 allows remote attackers to execute arbitrary code within sections bounded by "", possibly due to a static code injection vulnerability involving admin/datainc.php...

CVE-2006-5085

CVE-2006-5085 affects Blog Pixel Motion 2.1.1. The vulnerability is a static code injection in config.php where the nom_blog parameter is injected into include/variables.php, enabling remote attackers to execute arbitrary PHP code. The available connected documents confirm the affected software v...

CVE-2006-4768

Multiple direct static code injection vulnerabilities in addgo.php in Stefan Ernst Newsscript aka WM-News 0.5 beta allow remote attackers to execute arbitrary PHP code via the 1 description, 2 issue, 3 title, 4 var, 5 name, 6 keywords, and 7 note parameters, which are stored in an article file...

CVE-2006-4674

Direct static code injection vulnerability in doku.php in DokuWiki before 2006-030-09c allows remote attackers to execute arbitrary PHP code via the X-FORWARDED-FOR HTTP header, which is stored in config.php...

CVE-2006-4674

CVE-2006-4674 concerns DokuWiki prior to 2006-03-09c. A direct static code injection flaw in the script doku.php allows remote attackers to execute arbitrary PHP code by supplying a crafted X-FORWARDED-FOR HTTP header, which is stored in config.php. The vulnerability is characterized by an attack...

CVE-2006-4631

The CVE refers to SoftBB 0.1 (and possibly earlier) with a vulnerability in admin/save_opt.php: Direct static code injection allows remote authenticated users to upload and execute arbitrary PHP code via the cache_forum parameter, which saves the code to info_options.php and makes it accessible v...

CVE-2006-4451

Direct static code injection vulnerability in CJ Tag Board 3.0 allows remote attackers to execute arbitrary PHP code via the 1 User-Agent HTTP header in tag.php, which is executed by all.php, and 2 the banned parameter in adminindex.php...

CVE-2006-4451

Direct static code injection vulnerability in CJ Tag Board 3.0 allows remote attackers to execute arbitrary PHP code via the 1 User-Agent HTTP header in tag.php, which is executed by all.php, and 2 the banned parameter in adminindex.php...

CVE-2006-4451

CVE-2006-4451 affects CJ Tag Board 3.0, with a direct static code injection flaw allowing remote PHP code execution. The vulnerability arises from two input vectors: (1) the User-Agent HTTP header in tag.php (executed by all.php) and (2) the banned parameter in admin_index.php. This results in ar...

CVE-2006-4432

Directory traversal vulnerability in Zend Platform 2.2.1 and earlier allows remote attackers to overwrite arbitrary files via a .. dot dot sequence in the final component of the PHP session identifier PHPSESSID. NOTE: in some cases, this issue can be leveraged to perform direct static code...