CVE-2009-2399 – dm FileManager 3.9.4 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2009-2399
PHP remote file inclusion vulnerability in dm-albums/template/album.php in DM FileManager 3.9.4, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the SECURITY_FILE parameter. Vulnerabilidad de inclusión de archivo remoto en dm-albums/template/album.php en DM FileManager v3.9.4, cuando register_globals está activado, permite a atacantes remotos ejecutar código PHP arbitrario a través de una URL en el parámetro SECURITY_FILE. • https://www.exploit-db.com/exploits/9044 http://secunia.com/advisories/35622 http://www.exploit-db.com/exploits/9044 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2009-2396 – DM Albums <= 1.9.2 - Remote File Inclusion
https://notcve.org/view.php?id=CVE-2009-2396
PHP remote file inclusion vulnerability in template/album.php in DM Albums 1.9.2, as used standalone or as a WordPress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the SECURITY_FILE parameter. Vulnerabilidad de inclusión de archivo remoto PHP en template/album.php en DM Albums v1.9.2, utilizado independiente o como un plugin de WordPress, permite a atacantes remotos ejecutar código PHP arbitrario a través de una URL en el parámetro SECURITY_FILE. • https://www.exploit-db.com/exploits/9043 http://secunia.com/advisories/35619 http://www.exploit-db.com/exploits/9043 http://www.securityfocus.com/bid/35521 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVE-2009-2025 – DM FileManager 3.9.2 - Insecure Cookie Handling
https://notcve.org/view.php?id=CVE-2009-2025
admin/login.php in DM FileManager 3.9.2 allows remote attackers to bypass authentication and gain administrative access by setting the (1) USER, (2) GROUPID, (3) GROUP, and (4) USERID cookies to certain values. admin/login.php en DM FileManager v3.9.2, permite a atacantes remotos evitar la autenticación y obtener acceso como administradores estableciendo con valores determinados las cookies (1) USER, (2) GROUPID, (3) GROUP, and (4) USERID. • https://www.exploit-db.com/exploits/8903 http://secunia.com/advisories/35167 http://www.vupen.com/english/advisories/2009/1532 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-1741 – DM FileManager 3.9.2 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2009-1741
Multiple SQL injection vulnerabilities in login.php in DM FileManager 3.9.2, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields. Múltiples vulnerabilidades de inyección SQL en login.php in DM FileManager v3.9.2, cuando magic_quotes_gpc es deshabilitado, permite a los atacantes remotos ejecutar arbitrariamente comandos SQL a través de los campos (1) Usuario y (2) Contraseña. • https://www.exploit-db.com/exploits/8741 http://osvdb.org/54597 http://secunia.com/advisories/35167 http://www.securityfocus.com/bid/35035 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •