Multiple PHP remote file inclusion vulnerabilities in phpCollegeExchange 0.1.5c, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the home parameter to (1) i_head.php, (2) i_nav.php, (3) user_new_2.php, or (4) house/myrents.php; or (5) allbooks.php, (6) home.php, or (7) mybooks.php in books/. NOTE: house/myrents.php was also separately reported as a local file inclusion issue.
References
Link | Resource |
---|---|
http://secunia.com/advisories/35452 | Vendor Advisory |
http://www.exploit-db.com/exploits/9008 | |
http://secunia.com/advisories/35452 | Vendor Advisory |
http://www.exploit-db.com/exploits/9008 |
Configurations
History
21 Nov 2024, 01:04
Type | Values Removed | Values Added |
---|---|---|
References | () http://secunia.com/advisories/35452 - Vendor Advisory | |
References | () http://www.exploit-db.com/exploits/9008 - |
Information
Published : 2009-06-25 23:14
Updated : 2024-11-21 01:04
NVD link : CVE-2009-2218
Mitre link : CVE-2009-2218
CVE.ORG link : CVE-2009-2218
JSON object : View
Products Affected
david_degner
- phpcollegeexchange
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')