CVE-2002-0206
published 2002-05-16CVE-2002-0206: index.php in Francisco Burzi PHP-Nuke 5.3.1 and earlier, and possibly other versions before 5.5, allows remote attackers to execute arbitrary PHP code by…
PriorityP336high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.50%
92.9th percentile
index.php in Francisco Burzi PHP-Nuke 5.3.1 and earlier, and possibly other versions before 5.5, allows remote attackers to execute arbitrary PHP code by specifying a URL to the malicious code in the file parameter.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
D-Link DWL Series Access-Point 2.10na - Config Disclosure
exploitdb·2006-06-08
CVE-2006-2901 D-Link DWL Series Access-Point 2.10na - Config Disclosure
D-Link DWL Series Access-Point 2.10na - Config Disclosure
---
# ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)
# INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY
# http://www.intruders.com.br/ , http://www.intruders.org.br/
Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found).
Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found).
However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will return all the device configuration.
For example, making the following request:
http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg
We would have a result equivalent to the following:
# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO
Exploit-DB
PHP-Nuke 4.x/5.x - Arbitrary File Inclusion
exploitdb·2002-01-16
CVE-2002-0206 PHP-Nuke 4.x/5.x - Arbitrary File Inclusion
PHP-Nuke 4.x/5.x - Arbitrary File Inclusion
---
source: https://www.securityfocus.com/bid/3889/info
PHPNuke is a website creation/maintenance tool.
The 'index.php' script has a feature which allows users to include files. Due to insufficent input validation, it is possible to include files located on a remote server. Arbitrary code in the attacker's included file may be executed.
As one consequence of this issue, a remote attacker can cause commands to be executed on the shell of the host running vulnerable versions of PHPNuke. Commands will be executed with the privileges of the webserver process and may result in the attacker gaining local access.
It is not known whether this vulnerability affects PostNuke, though the possibility exists.
Create the following file on a remote serve
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=101121913914205&w=2http://www.kb.cert.org/vuls/id/221683http://www.securityfocus.com/bid/3889https://exchange.xforce.ibmcloud.com/vulnerabilities/7914http://marc.info/?l=bugtraq&m=101121913914205&w=2http://www.kb.cert.org/vuls/id/221683http://www.securityfocus.com/bid/3889https://exchange.xforce.ibmcloud.com/vulnerabilities/7914
2002-05-16
Published