Khashayar Fereidani

**Name of the Vulnerable Software and Affected Versions** DokuWiki version 2012-01-25 Angua **Description** A cross-site request forgery (CSRF) issue in doku.php allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users. The vendor disputes this issue, stating it is resultant from another vulnerability, where the exploit code uses an XSS hole to extract a valid CSRF token. **Recommendations** For DokuWiki version 2012-01-25 Angua, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** DokuWiki version 2012-01-25 Angua **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `target` parameter in an edit action. **Recommendations** For DokuWiki version 2012-01-25 Angua, consider disabling the edit action or restricting access to the `target` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Greenwood PHP Content Manager version 0.3.2 **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `content path` parameter. **Recommendations** For version 0.3.2, consider restricting access to the `include/processor.php` file until a patch is available. As a temporary workaround, avoid using the `content path` parameter with untrusted input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Easy Photo Gallery version 2.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `username` parameter in the gallery.php file. **Recommendations** For Easy Photo Gallery version 2.1, consider restricting access to the gallery.php file until a patch is available, and avoid using the `username` parameter in this context to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Easy Photo Gallery version 2.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `galleryid` parameter to "gallery.php", and the `size` or `imageid` parameters to "show.php". **Recommendations** For Easy Photo Gallery version 2.1, consider restricting access to the "gallery.php" and "show.php" scripts until a patch is available. As a temporary workaround, avoid using the `galleryid`, `size`, and `imageid` parameters in the affected scripts.

Name of the Vulnerable Software and Affected Versions: Fantastico De Luxe Module for cPanel (affected versions not specified) Description: The issue is related to a directory traversal vulnerability. It allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the `scriptpath show` parameter in a GoAhead action. This issue crosses privilege boundaries when certain security settings, such as disable functions and safe mode, are active. Exploitation requires uploading executable code to a home directory. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Fantastico De Luxe Module for cPanel (affected versions not specified) Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters in an Upgrade action, including `localapp`, `updatedir`, `scriptpath show`, `domain show`, `thispage`, `thisapp`, and `currentversion`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion E-Cart module version 1.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `CA` parameter in the items.php file. **Recommendations** For PHP-Fusion E-Cart module version 1.3, consider restricting access to the items.php file or the `CA` parameter to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asp Project Management version 1.0 **Description** The issue allows remote attackers to bypass authentication and gain administrative access. This is achieved by setting the `crypt` cookie to 1, effectively allowing unauthorized access to administrative functions. **Recommendations** For Asp Project Management version 1.0, as a temporary workaround, consider restricting access to administrative functions until a patch is available. Avoid using the `crypt` cookie or set it to a value other than 1 to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Team Impact TI Blog System mod for PHP-Fusion (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in the `blog.php` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PhpWebGallery version 1.3.4 **Description** The issue allows remote attackers to include and execute arbitrary local files. This is achieved by exploiting directory traversal vulnerabilities using a .. (dot dot) in the `user[language]` and `user[template]` parameters to "init.inc.php" and the `user[language]` parameter to "isadmin.inc.php". **Recommendations** For PhpWebGallery version 1.3.4, as a temporary workaround, consider restricting access to the vulnerable parameters `user[language]` and `user[template]` in "init.inc.php" and the `user[language]` parameter in "isadmin.inc.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PhpWebGallery version 1.3.4 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `lang[access forbiden]` and `lang[ident title]` parameters in the admin/include/isadmin.inc.php file. **Recommendations** For PhpWebGallery version 1.3.4, as a temporary workaround, consider restricting access to the admin/include/isadmin.inc.php file until a patch is available. Avoid using the `lang[access forbiden]` and `lang[ident title]` parameters in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NooMS version 1.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `page id` parameter to "smileys.php" and the `q` parameter to "search.php". **Recommendations** For NooMS version 1.1, consider restricting access to the "smileys.php" and "search.php" scripts until a fix is available. As a temporary workaround, avoid using the `page id` and `q` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** NooMS version 1.1 **Description** The issue allows remote attackers to conduct brute force attacks against passwords. This is achieved by providing a `username` in the `g dbuser` parameter and a `password` in the `g dbpwd` parameter. The attack might also involve setting the `g dbhost` parameter to a "localhost" value. **Recommendations** For NooMS version 1.1, consider restricting access to the db.php file to prevent brute force attacks, and limit the number of login attempts to mitigate the risk of exploitation. As a temporary workaround, restrict the use of the `g dbuser` and `g dbpwd` parameters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NooMS version 1.1 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved by manipulating a URL in the `g site url` parameter in the admin/auth.php file. **Recommendations** For NooMS version 1.1, consider restricting access to the admin/auth.php file until a patch is available, and avoid using the `g site url` parameter in this context to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phsBlog version 0.2 **Description** The issue concerns SQL injection vulnerabilities in the index.php file of phsBlog. Remote attackers can execute arbitrary SQL commands via the `sid` parameter in a pickup action or the `sql cid` parameter. **Recommendations** For phsBlog version 0.2, consider restricting access to the `sid` and `sql cid` parameters in the index.php file to minimize the risk of exploitation. As a temporary workaround, avoid using these parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mambo versions 4.6.2 through 4.6.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This is possible when the register globals setting is enabled. Specifically, the "query string to mambots/editors/mostlyce/jscripts/tiny mce/filemanager/connectors/php/connector.php" and the `mosConfig sitename` parameter to "administrator/popups/index3pop.php" are vulnerable to such injections. **Recommendations** For Mambo versions 4.6.2 through 4.6.5, consider disabling the register globals setting to mitigate the risk of exploitation. As a temporary workaround, restrict access to the "mambots/editors/mostlyce/jscripts/tiny mce/filemanager/connectors/php/connector.php" and "administrator/popups/index3pop.php" files until a patch is available. Avoid using the `mosConfig sitename` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Pluck version 4.5.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can occur through various parameters in different PHP files, including `lang footer` in `data/inc/footer.php`, multiple parameters in `data/inc/header.php` and `data/inc/header2.php`, and `lang theme6` in `data/inc/themeinstall.php`. The affected parameters are: `lang footer`, `pluck version`, `lang install22`, `titelkop`, `lang kop1`, `lang kop2`, `lang modules`, `lang kop4`, `lang kop15`, `lang kop5`, and `lang theme6`. **Recommendations** For Pluck version 4.5.2, consider disabling the `register globals` setting to mitigate the risk of exploitation. As a temporary workaround, restrict access to the vulnerable parameters, such as `lang footer`, `pluck version`, `lang install22`, `titelkop`, `lang kop1`, `lang kop2`, `lang modules`, `lang kop4`, `lang kop15`, `lang kop5`, and `lang theme6`, in the affected PHP files until a patch is available. Avoid using these parameters in the "data/inc/footer.php", "data/inc/header.php", "data/inc/header2.php", and "data/inc/themeinstall.php" files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MyioSoft EasyE-Cards versions 3.5 through 3.10a **Description** The issue allows remote attackers to execute arbitrary SQL commands when magic quotes gpc is disabled. This is achieved via the `sid` parameter in a "pickup" action. **Recommendations** For MyioSoft EasyE-Cards versions 3.5 through 3.10a, consider disabling the `pickup` action or restricting access to it until a patch is available. Additionally, enabling magic quotes gpc can help mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyioSoft EasyE-Cards versions 3.5 through 3.10a **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including `ResultHtml`, `dir`, `SenderName`, `RecipientName`, `SenderMail`, and `RecipientMail`. This can be exploited by sending malicious input to the affected API endpoint. **Recommendations** For MyioSoft EasyE-Cards versions 3.5 through 3.10a, as a temporary workaround, consider restricting access to the `staticpages/easyecards/index.php` endpoint until a patch is available. Avoid using the parameters `ResultHtml`, `dir`, `SenderName`, `RecipientName`, `SenderMail`, and `RecipientMail` in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.