Irk4Z

**Name of the Vulnerable Software and Affected Versions** Joomla! versions 1.5.8 and earlier **Description** A directory traversal issue exists in the XStandard component, specifically in attachmentlibrary.php, allowing remote attackers to list arbitrary directories by including a .. (dot dot) in the `X CMS LIBRARY PATH` HTTP header. **Recommendations** For Joomla! versions 1.5.8 and earlier, consider restricting access to the attachmentlibrary.php file in the XStandard component until a patch is available. As a temporary workaround, avoid using the `X CMS LIBRARY PATH` HTTP header with dot dot (..) sequences to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Skype extension for Firefox version 2.2.0.95 **Description** The issue allows remote attackers to write arbitrary data to the clipboard via a string argument passed to the skype tool.copy num method. **Recommendations** For version 2.2.0.95, consider disabling the skype tool.copy num method until a patch is available to prevent arbitrary data from being written to the clipboard.

SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic quotes gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459.

**Name of the Vulnerable Software and Affected Versions** Quicksilver Forums version 1.4.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `forums` array parameter in a "search" action, specifically targeting the index.php file. **Recommendations** For Quicksilver Forums version 1.4.1, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `forums` array parameter in the search action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mambo versions 4.6.4 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved via a URL in the `mosConfig absolute path` parameter in the includes/Cache/Lite/Output.php file of the Cache Lite package. **Recommendations** For Mambo versions 4.6.4 and earlier, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the includes/Cache/Lite/Output.php file to minimize the risk of arbitrary PHP code execution. Avoid using the `mosConfig absolute path` parameter in vulnerable configurations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CMSimple version 3.1 **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files by providing a .. (dot dot) in the `sl` parameter to "index.php". This can be used for remote file execution by including "adm.php" and then invoking the upload action. **Recommendations** For CMSimple version 3.1, update to the patched version released on 20080601, even though the version number remains unchanged.

**Name of the Vulnerable Software and Affected Versions** phpBP version 2.204 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in a "banner out" action. The vulnerable file is includes/functions/banners-external.php. **Recommendations** For version 2.204, apply FIX 4 to resolve the issue. As a temporary workaround, consider restricting access to the `id` parameter in the affected API endpoint until the fix is applied.

**Name of the Vulnerable Software and Affected Versions** fuzzylime (cms) version 3.01 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `admindir` parameter in the code/display.php file. **Recommendations** For version 3.01, update to a newer version that contains a fix for this issue, or as a temporary workaround, consider restricting access to the `admindir` parameter in the code/display.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PNphpBB2 versions 1.2i and earlier **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `phpEx` parameter in the printview.php file. This is a directory traversal vulnerability. **Recommendations** For PNphpBB2 versions 1.2i and earlier, consider restricting access to the printview.php file until a patch is available. As a temporary workaround, avoid using the `phpEx` parameter in the printview.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 1024 CMS versions 1.3.1 through 1.4.2 beta **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal vulnerabilities. This can be achieved by exploiting the `lang` parameter to `/pages/print/default/ops/news.php`, the `theme dir` parameter to `/pages/download/default/ops/search.php`, or the `admin theme dir` parameter to `download.php`, `forum.php`, or `news.php` in `admin/ops/reports/ops/`. The vulnerability is exploited using a .. (dot dot) in the respective parameters. **Recommendations** For 1024 CMS versions 1.3.1 through 1.4.2 beta, as a temporary workaround, consider restricting access to the vulnerable parameters `lang`, `theme dir`, and `admin theme dir` until a patch is available. Avoid using the `..` (dot dot) notation in these parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mBlog version 1.2 **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the index.php file. This is achieved by using a .. (dot dot) in the `page` parameter within a page mode action. **Recommendations** For mBlog version 1.2, consider restricting access to the `page` parameter in the index.php file to prevent directory traversal attacks until a patch is available. As a temporary workaround, avoid using the `page` parameter with unvalidated input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 1024 CMS version 1.3.1 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `ip` parameter in the "admin/ops/findip/ajax/search.php" endpoint. **Recommendations** For version 1.3.1, avoid using the `ip` parameter in the "admin/ops/findip/ajax/search.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "admin/ops/findip/ajax/search.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GuppY versions 4.6.3, 4.5.16, and earlier **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files by using a .. (dot dot) in the `id` parameter. This can be used to bypass authentication and upload arbitrary files by including admin/inc/upload.inc and specifying certain multipart/form-data input for admin/inc/upload.inc. **Recommendations** For GuppY versions 4.6.3, 4.5.16, and earlier, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GuppY version 4.6.3 **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This can be achieved by using a .. (dot dot) in the `selskin` parameter to "index.php". The issue can also be leveraged for remote file inclusion by including "inc/boxleft.inc" and specifying a URL in the `xposbox[L][]` array parameter. **Recommendations** For GuppY version 4.6.3, consider restricting access to the `selskin` parameter in "index.php" and avoid using the `xposbox[L][]` array parameter until a fix is available. As a temporary workaround, consider disabling the inclusion of "inc/boxleft.inc" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** miniBB version 2.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `table` parameter in the `/index.php` API endpoint. **Recommendations** For miniBB version 2.1, consider restricting access to the `bb func search.php` file until a patch is available. As a temporary workaround, avoid using the `table` parameter in the `/index.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iziContents versions 1 RC6 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via specific parameters in various PHP files. This is due to incomplete blacklist vulnerabilities, which are related to missing checks for the inclusion of certain URLs. The affected parameters include `admin home` in `modules/poll/poll summary.php`, `rootdp` in `include/db.php`, and `language home` in several other files, such as `search/search.php`, `poll/inlinepoll.php`, `poll/showpoll.php`, `links/showlinks.php`, and `links/submit links.php`. An example of exploitation is using an `ftps://` URL. **Recommendations** For iziContents versions 1 RC6 and earlier, consider disabling the affected parameters, such as `admin home`, `rootdp`, and `language home`, until a patch is available. Restrict access to the vulnerable modules, including `modules/poll/poll summary.php`, `include/db.php`, `search/search.php`, `poll/inlinepoll.php`, `poll/showpoll.php`, `links/showlinks.php`, and `links/submit links.php`, to minimize the risk of exploitation. Avoid using URLs that could be used to exploit the missing checks in `modules/moduleSec.php` and `include/includeSec.php`. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** iziContents versions 1 RC6 and earlier **Description** The issue allows remote attackers to include and execute arbitrary local files. This can be achieved by using a .. (dot dot) in the `admin home` parameter to the "/modules/poll/poll summary.php" endpoint or the `rootdp` parameter to the "/include/db.php" endpoint. **Recommendations** For iziContents versions 1 RC6 and earlier, consider restricting access to the vulnerable modules, specifically the poll summary.php and db.php files, until a fix is available. As a temporary workaround, avoid using the `admin home` and `rootdp` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** iziContents versions 1 RC6 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `gsLanguage` parameter to several API endpoints, including "search/search.php", "poll/inlinepoll.php", "poll/showpoll.php", "links/showlinks.php", or "links/submit links.php" in modules/. **Recommendations** For iziContents versions 1 RC6 and earlier, as a temporary workaround, consider restricting access to the `gsLanguage` parameter in the affected API endpoints until a patch is available. Avoid using the `gsLanguage` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PsNews version 1.1 **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `newspath` parameter. **Recommendations** For PsNews version 1.1, consider restricting access to the `news/show.php` file until a patch is available, or avoid using the `newspath` parameter with untrusted input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TinyMCE Compressor PHP versions prior to 1.06 **Description** The issue allows remote attackers to read or include arbitrary files via a trailing null byte (%00) in the `theme`, `language`, `plugins`, or `lang` parameter. This can be exploited by sending a specially crafted request to the vulnerable API endpoint. **Recommendations** For versions prior to 1.06, update to version 1.06 or later to resolve the issue. As a temporary workaround, consider restricting access to the `tiny mce gzip.php` file to minimize the risk of exploitation. Avoid using the `theme`, `language`, `plugins`, or `lang` parameter with a trailing null byte (%00) in the affected API endpoint until the issue is resolved.