W0Cker

**Name of the Vulnerable Software and Affected Versions** Dragoon version 0.1 **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by providing a .. (dot dot) in the `cal[lng]` parameter. **Recommendations** For Dragoon version 0.1, as a temporary workaround, consider restricting access to the `calendrier.php` file in the `forum/kietu/libs` directory until a patch is available. Avoid using the `cal[lng]` parameter with untrusted input in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PhpBlock A8.4 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `PATH TO CODE` parameter in the modules/basicfog/basicfogfactory.class.php file. **Recommendations** For PhpBlock A8.4, consider restricting access to the `PATH TO CODE` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DaZPHPNews versions 0.1-1 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `prefixdir` parameter, when `register globals` is enabled and `magic quotes gpc` is disabled. **Recommendations** For DaZPHPNews versions 0.1-1, consider disabling the `register globals` setting and enabling `magic quotes gpc` to mitigate the risk of exploitation. Additionally, restrict access to the `makepost.php` file and avoid using the `prefixdir` parameter until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Alex Kocharin PHP Fidonet Tosser (PhFiTo) version 1.3.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `SRC PATH` parameter to the `/phfito-post` endpoint. This can lead to unauthorized code execution. **Recommendations** For Alex Kocharin PHP Fidonet Tosser (PhFiTo) version 1.3.0, consider restricting access to the `phfito-post` endpoint until a patch is available, and avoid using the `SRC PATH` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** sk.log versions 0.5.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `SKIN URL` parameter. This is a result of a PHP remote file inclusion vulnerability in the php-inc/log.inc.php file. **Recommendations** For sk.log versions 0.5.3 and earlier, avoid using the `SKIN URL` parameter until the issue is resolved. As a temporary workaround, consider restricting access to the php-inc/log.inc.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.