Girex

**Name of the Vulnerable Software and Affected Versions** Quicksilver Forums versions 1.4.2 and earlier QSF Portal versions prior to 1.4.5 **Description** The issue allows remote attackers to include and execute arbitrary local files via a "" (backslash) in the `lang` parameter to "index.php". This bypasses a protection mechanism that only checks for "/" (forward slash). Attackers can upload and include PHP code in an avatar file. **Recommendations** For Quicksilver Forums versions 1.4.2 and earlier, update to a version later than 1.4.2. For QSF Portal versions prior to 1.4.5, update to version 1.4.5 or later. As a temporary workaround, consider restricting access to the `get lang` function in global.php to minimize the risk of exploitation. Avoid using the `lang` parameter in the "index.php" endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Unclassified NewsBoard (UNB) version 1.6.4 Description: The issue allows remote attackers to obtain sensitive information via a direct request to import wbb1.php, which reveals the installation path in an error message. Recommendations: For Unclassified NewsBoard (UNB) version 1.6.4, consider restricting access to the import wbb1.php file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Unclassified NewsBoard (UNB) version 1.6.4 Description: The issue allows remote attackers to read arbitrary recently-modified files or include and execute arbitrary local files due to directory traversal vulnerabilities in the forum.php file. This occurs when register globals is enabled and magic quotes gpc is disabled. The attack can be performed by exploiting the `GLOBALS[filename]` parameter or the `GLOBALS[UTE][ tplCollection][a][file]` parameter using a .. (dot dot) sequence. Recommendations: For Unclassified NewsBoard (UNB) version 1.6.4, consider disabling the register globals setting and enabling magic quotes gpc to prevent exploitation. Additionally, restrict access to the forum.php file and its parameters, such as `GLOBALS[filename]` and `GLOBALS[UTE][ tplCollection][a][file]`, to minimize the risk of directory traversal attacks.

Name of the Vulnerable Software and Affected Versions: Unclassified NewsBoard (UNB) version 1.6.4 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `Query` parameter in a search action to "forum.php". Recommendations: For version 1.6.4, consider restricting access to the `UnbDbEncode` function in `unb lib/database.lib.php` until a patch is available. Avoid using the `Query` parameter in the search action to "forum.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LightNEasy SQLite versions 1.2.2 and earlier **Description** The issue allows remote attackers to inject arbitrary PHP code into comments.dat via the `dlid` parameter to "index.php". This is a SQL injection vulnerability in LightNEasy/lightneasy.php. **Recommendations** For versions 1.2.2 and earlier, as a temporary workaround, consider restricting access to the `dlid` parameter in the "index.php" endpoint until a patch is available. Avoid using the `dlid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Thumbs-Up version 1.12 LightNEasy "no database" (aka flat) SQLite versions 1.2.2 and earlier **Description** The issue allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the `image` parameter with a modified `cache dir` parameter containing a %00 (encoded null byte). **Recommendations** For Thumbs-Up version 1.12, consider restricting access to the `thumbsup.php` file until a patch is available. For LightNEasy "no database" (aka flat), restrict the use of the `image` parameter in the affected endpoint to minimize the risk of exploitation. For SQLite versions 1.2.2 and earlier, avoid using the `cache dir` parameter with encoded null bytes (`%00`) in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LightNEasy version 1.2 **Description** The issue allows remote attackers to obtain the hash of the administrator password. This is achieved by exploiting the setup "do" action to LightNEasy.php. Although the variable is cleared from $ GET, it can still be accessed using $ REQUEST, thus allowing the attack. **Recommendations** For version 1.2, consider restricting access to the LightNEasy.php file until a patch is available, or ensure that the setup "do" action is properly validated and sanitized to prevent unauthorized access. As a temporary workaround, avoid using the $ REQUEST variable to access sensitive data, and instead, use $ GET or $ POST explicitly to minimize the risk of exploitation.

SQL injection vulnerability in misc.php in DeluxeBB 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the qorder parameter, a different vector than CVE-2005-2989 and CVE-2006-2503.

**Name of the Vulnerable Software and Affected Versions** e107 versions 0.7.13 and earlier **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the `ue[]` parameter in the usersettings.php file. **Recommendations** For versions 0.7.13 and earlier, update to a version later than 0.7.13 to resolve the issue. As a temporary workaround, consider restricting access to the usersettings.php file or avoiding the use of the `ue[]` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IceBB versions prior to 1.0-rc9.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `username` parameter in a members action to "index.php". This is related to an incorrect protection mechanism in the `clean string` function in "includes/functions.php". **Recommendations** For versions prior to 1.0-rc9.3, update to version 1.0-rc9.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "members" action in "index.php" to minimize the risk of exploitation. Avoid using the `username` parameter in the affected module until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Triton CMS Pro (affected versions not specified) Description: A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** miniBB versions 2.2 and earlier **Description** The issue concerns SQL injection vulnerabilities in setup mysql.php and setup options.php. These vulnerabilities allow remote attackers to execute arbitrary SQL commands when register globals is enabled. The attack vector is the xtr parameter in a userinfo action to "index.php". **Recommendations** For miniBB versions 2.2 and earlier, consider disabling the register globals setting to mitigate the risk of SQL injection attacks. Restrict access to setup mysql.php and setup options.php to minimize the risk of exploitation. Avoid using the xtr parameter in the userinfo action to "index.php" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** miniBB versions 2.2 and earlier **Description** The issue allows remote attackers to obtain the full path of the system via a direct request to the `glang` parameter in a `registernew` action to "index.php". This is possible when `register globals` is enabled, and it leaks the path in an error message. **Recommendations** For miniBB versions 2.2 and earlier, consider disabling the `register globals` setting to prevent exploitation. As a temporary workaround, restrict access to the `index.php` file, specifically the `registernew` action, until a patch is available. Avoid using the `glang` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** miniBB versions 2.2 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This occurs when an attacker can inject arbitrary web script or HTML into a website, potentially allowing them to steal user data or take control of the user's session. The vulnerability can be exploited through the `glang[]` parameter in a "registernew" action when `register globals` is enabled. **Recommendations** For miniBB versions 2.2 and earlier, consider disabling the `register globals` setting to prevent exploitation of this issue. Additionally, restrict access to the "registernew" action in index.php to minimize the risk of XSS attacks. Avoid using the `glang[]` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** 1024 CMS versions 1.4.2 beta and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible when the `magic quotes gpc` setting is disabled. Attackers can exploit this via a `cookpass` cookie. **Recommendations** For versions 1.4.2 beta and earlier, consider enabling the `magic quotes gpc` setting to prevent SQL injection attacks. Additionally, as a temporary workaround, restrict access to the `includes/system.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LokiCMS versions 0.3.3 and earlier **Description** A static code injection issue exists, allowing remote attackers to inject arbitrary PHP code into includes/Config.php via the `default` parameter in admin.php. **Recommendations** For LokiCMS versions 0.3.3 and earlier, update to a version later than 0.3.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TopperMod version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands via a non-alphanumeric first character in the `localita` parameter. This occurs when `magic quotes gpc` is disabled, bypassing a protection mechanism. **Recommendations** For TopperMod version 2.0, consider disabling the `account/index.php` page or restricting access to it until a patch is available. As a temporary workaround, enable `magic quotes gpc` to prevent SQL injection attacks. Additionally, restrict the `localita` parameter to only allow alphanumeric characters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TopperMod version 1.0 **Description** The issue allows remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `to` parameter of a vulnerable endpoint, potentially leading to directory traversal. **Recommendations** For TopperMod version 1.0, consider restricting access to the `mod.php` file until a patch is available, or apply configuration changes to prevent directory traversal attacks by properly sanitizing the `to` parameter.