Cxib8O3

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.2.7 **Description** The issue allows context-dependent attackers to write to arbitrary files. This is possible because PHP does not enforce the error log safe mode restrictions when safe mode is enabled through a php admin flag setting in httpd.conf. An attacker can exploit this by placing a "php value error log" entry in a .htaccess file. **Recommendations** For PHP versions prior to 5.2.7, update to version 5.2.7 or later to resolve the issue. As a temporary workaround, consider disabling the use of .htaccess files to minimize the risk of exploitation. Restrict access to the error log setting in php admin flag to prevent unauthorized modifications.

Name of the Vulnerable Software and Affected Versions: phpBB version 2.0.20 Description: The issue allows remote attackers to obtain sensitive information by exploiting improper verification of user-specified input variables used as limits to SQL queries. This can be achieved via a negative LIMIT specification, as demonstrated by the `start` parameter to "memberlist.php", which reveals the SQL query in the resulting error message. Recommendations: For phpBB version 2.0.20, update to a version that properly verifies and sanitizes user input to prevent SQL query manipulation.

Name of the Vulnerable Software and Affected Versions: phpBB version 2.0.20 Description: The issue allows remote attackers to obtain sensitive information by not verifying user-specified input variable types before being passed to type-dependent functions. This is demonstrated by the `mode` parameter to "memberlist.php" and the `highlight` parameter to "viewtopic.php", which are used as an argument to functions such as `htmlspecialchars` or `urlencode`, resulting in the display of the installation path in the resulting error message. Recommendations: For phpBB version 2.0.20, consider updating to a newer version that addresses this issue, as the current version does not properly validate user input, leading to potential information disclosure. As a temporary workaround, consider restricting access to the "memberlist.php" and "viewtopic.php" scripts until a patch is available. Avoid using the `mode` and `highlight` parameters in these scripts until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PHP versions 4.4.2 through 4.4.3 PHP versions 5.1.4 and earlier **Description** The issue allows local users to bypass safe mode and open basedir restrictions. This is due to an input validation error in the `error log()` function, specifically in the processing of the destination parameter. The vulnerability can be exploited via directory traversal attacks using the "php://" wrapper. **Recommendations** For PHP versions 4.4.2 through 4.4.3, update to version 4.4.4 or later. For PHP versions 5.1.4 and earlier, update to version 5.1.5 or later. As a temporary workaround, consider restricting the use of the `error log()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PHP versions 4.4.2 and 5.1.4 **Description** The issue allows attackers to bypass safe mode and read files via a file:// request containing null characters. This is related to the cURL library (libcurl) in PHP. **Recommendations** For PHP version 4.4.2, update to a version that fixes this issue. For PHP version 5.1.4, update to a version that fixes this issue. As a temporary workaround, consider restricting access to file:// requests until a patch is available.

Name of the Vulnerable Software and Affected Versions: PHP versions 4.4.2 through 5.1.2 Description: The issue allows local users to bypass safe mode and read arbitrary files. This is due to the copy function in file.c not properly sanitizing user-supplied input, specifically when a source argument contains a compress.zlib:// URI. By supplying a crafted compress.zlib:// URI, an attacker can bypass safe mode restrictions. Recommendations: For PHP versions 4.4.2 through 5.1.2, consider restricting access to the copy function in file.c to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the compress.zlib:// URI scheme in the copy function to prevent bypassing safe mode restrictions.

**Name of the Vulnerable Software and Affected Versions** phpBB version 2.0.18 **Description** The issue allows remote attackers to obtain the installation path of phpBB. This is achieved by making a direct request to the 'admin/admin disallow.php' endpoint with a non-empty `setmodules` parameter. The request causes an invalid `append sid` function call, resulting in the installation path being leaked in an error message. **Recommendations** For phpBB version 2.0.18, consider restricting access to the 'admin/admin disallow.php' endpoint until a fix is available. As a temporary workaround, avoid using the `setmodules` parameter in requests to this endpoint to minimize the risk of path disclosure.

**Name of the Vulnerable Software and Affected Versions** phpBB version 2.0.18 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. When the "Allowed HTML tags" option is enabled, remote attackers can inject arbitrary Javascript code via permitted HTML tags that contain quote characters and active attributes, such as onmouseover. **Recommendations** For phpBB version 2.0.18, consider disabling the "Allowed HTML tags" option to prevent the injection of malicious Javascript code until a patch is available. Restrict access to HTML tags with active attributes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PostNuke versions 0.750 through 0.760RC3 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to "simple smarty.php", which reveals the path in an error message. **Recommendations** For PostNuke versions 0.750 through 0.760RC3, consider restricting access to the simple smarty.php file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PostNuke version 0.750 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `name` or `module` parameter in the Xanthia.php file of the Xanthia module. **Recommendations** For PostNuke version 0.750, consider restricting access to the Xanthia module until a patch is available. As a temporary workaround, avoid using the `name` and `module` parameters in the affected API endpoint.

**Name of the Vulnerable Software and Affected Versions** PostNuke versions 0.750 through 0.760RC3 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the RSS module. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited through the `rss url` parameter to "magpie slashbox.php", or the `url` parameter to "magpie simple.php" or "magpie debug.php". **Recommendations** For PostNuke versions 0.750 through 0.760RC3, consider restricting access to the RSS module until a patch is available. As a temporary workaround, avoid using the `rss url` parameter in "magpie slashbox.php" and the `url` parameter in "magpie simple.php" or "magpie debug.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PostNuke versions 0.750 through 0.760RC3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `skin` or `paletteid` parameter to "demo.php" in the Xanthia module, or the `serverName` parameter to "config.php" in the Multisites module. **Recommendations** For PostNuke versions 0.750 through 0.760RC3, consider disabling access to the `demo.php` file in the Xanthia module and restricting modifications to the `config.php` file in the Multisites module until a fix is available. Avoid using the `skin`, `paletteid`, and `serverName` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PostNuke versions 0.750 through 0.760RC3 **Description** The issue allows remote attackers to obtain sensitive information via direct requests to various files, including `theme.php` and `Xanthia.php` in the Xanthia module, multiple files in the pnblocks directory in the Blocks module, `config.php` in the NS-Multisites module, and `xmlrpc.php`. These requests can reveal the path in an error message. **Recommendations** For PostNuke versions 0.750 through 0.760RC3, consider restricting access to the sensitive files and directories, such as the Xanthia module, Blocks module, NS-Multisites module, and the xmlrpc.php file, to minimize the risk of exploitation. As a temporary workaround, disable the execution of these files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PostNuke versions 0.760-RC3 **Description** The issue allows remote administrators to read arbitrary files due to a directory traversal vulnerability in the pnadminapi.php file within the Xanthia module. This is achieved by using a .. (dot dot) in the `skin` parameter. **Recommendations** For PostNuke version 0.760-RC3, consider restricting access to the pnadminapi.php file or the Xanthia module to minimize the risk of exploitation. As a temporary workaround, avoid using the `skin` parameter in the pnadminapi.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PostNuke versions 0.760-RC3 **Description** The issue allows remote administrators to execute arbitrary SQL commands. This is achieved via the `riga[0]` parameter in the pnadmin.php file of the Xanthia module. **Recommendations** For PostNuke version 0.760-RC3, avoid using the `riga[0]` parameter in the pnadmin.php file of the Xanthia module until the issue is resolved. As a temporary workaround, consider restricting access to the pnadmin.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke version 7.6 **Description** The issue allows remote attackers to obtain sensitive information via an invalid `show` parameter. This triggers a division by zero PHP error, which leaks the full pathname of the server. **Recommendations** For PHP-Nuke version 7.6, consider restricting access to the Web Links module until a patch is available. As a temporary workaround, avoid using the `show` parameter in the affected module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke version 7.6 **Description** The issue concerns SQL injection vulnerabilities in the Web Links module. Remote attackers can execute arbitrary SQL commands through various parameters in different functions, including `email` or `url` in the Add function, `url` in the modifylinkrequestS function, `orderby` or `min` in the viewlink function, `orderby`, `min`, or `show` in the search function, or `ratenum` in the MostPopular function. **Recommendations** For PHP-Nuke version 7.6, consider restricting access to the Web Links module until a fix is available. As a temporary workaround, avoid using the vulnerable parameters `email`, `url`, `orderby`, `min`, `show`, and `ratenum` in their respective functions. Additionally, restrict the use of the modifylinkrequestS, viewlink, search, and MostPopular functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke version 7.6 **Description** The issue concerns SQL injection vulnerabilities in the Downloads module. Remote attackers can inject arbitrary web script or HTML via specific parameters, including the `email` or `url` parameters in the Add function, the `min` parameter in the viewsdownload function, or the `min` parameter in the search function. **Recommendations** For PHP-Nuke version 7.6, consider restricting access to the vulnerable parameters `email`, `url`, and `min` in the affected functions until a patch is available. As a temporary workaround, disabling the Downloads module or limiting its functionality can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpSysInfo version 2.3 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to certain files, which reveal the path in a PHP error message. Specifically, the affected files include class.OpenBSD.inc.php, class.NetBSD.inc.php, class.FreeBSD.inc.php, class.Darwin.inc.php, XPath.class.php, system header.php, and system footer.php. **Recommendations** For phpSysInfo version 2.3, consider restricting direct access to the mentioned files, such as class.OpenBSD.inc.php, class.NetBSD.inc.php, class.FreeBSD.inc.php, class.Darwin.inc.php, XPath.class.php, system header.php, and system footer.php, to prevent the disclosure of sensitive information.

**Name of the Vulnerable Software and Affected Versions** phpAdsNew version 2.0.4 **Description** The issue allows remote attackers to obtain sensitive information via direct requests to various PHP files, including (1) "lib-xmlrpcs.inc.php", (2) "maintenance-activation.php", (3) "maintenance-cleantables.php", (4) "maintenance-autotargeting.php", (5) "maintenance-reports.php", (6) "phpads.php", (7) "remotehtmlview.php", (8) "click.php", (9) "adcontent.php". These requests can reveal the path in a PHP error message. **Recommendations** For phpAdsNew version 2.0.4, consider restricting access to the mentioned PHP files to minimize the risk of exploitation. As a temporary workaround, limit direct requests to these files until a patch is available.