Pouya Daneshmand

**Name of the Vulnerable Software and Affected Versions** Phpkobo Address Book Script version 1.09 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `LANG CODE` parameter when magic quotes gpc is disabled. This is a directory traversal vulnerability in the codelib/cfg/common.inc.php file. **Recommendations** For Phpkobo Address Book Script version 1.09, consider disabling the use of the `LANG CODE` parameter until a patch is available, or enable magic quotes gpc to prevent the exploitation of this issue.

**Name of the Vulnerable Software and Affected Versions** Phpkobo Short URL version 1.01 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `LANG CODE` parameter in staff/app/common.inc.php when magic quotes gpc is disabled. **Recommendations** For Phpkobo Short URL version 1.01, consider disabling the execution of files using the `LANG CODE` parameter until a patch is available. Restrict access to the staff/app/common.inc.php file to minimize the risk of exploitation. Avoid using the `LANG CODE` parameter with untrusted input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Phpkobo Free Real Estate Contact Form version 1.09 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `LANG CODE` parameter when `magic quotes gpc` is disabled. **Recommendations** For Phpkobo Free Real Estate Contact Form version 1.09, consider disabling the `LANG CODE` parameter or restricting its use until a patch is available. Additionally, enabling `magic quotes gpc` may help mitigate the risk of exploitation.