CVE-2008-3354 – RunCMS 1.6.1 - 'bbPath[path]' Remote File Inclusion

https://notcve.org/view.php?id=CVE-2008-3354

Multiple PHP remote file inclusion vulnerabilities in the Newbb Plus (newbb_plus) module 0.93 in RunCMS 1.6.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) bbPath[path] parameter to votepolls.php and the (2) bbPath[root_theme] parameter to config.php, different vectors than CVE-2006-0659. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de inclusión remota de fichero PHP en el módulo Newbb Plus (newbb_plus) 0.93 en RunCMS 1.6.1, permite a atacantes remotos ejecutar código PHP de su elección a través de una URL en los parámetros 1) bbPath[path] a votepolls.php y (2) bbPath[root_theme] a config.php, diferentes vectores que los de CVE-2006-0659. NOTA: el origen de esta información es desconocido. Los detalles han sido obtenidos de terceros. • https://www.exploit-db.com/exploits/32099 https://www.exploit-db.com/exploits/32100 http://www.securityfocus.com/bid/30331 http://www.securityfocus.com/bid/30331/exploit https://exchange.xforce.ibmcloud.com/vulnerabilities/43969 • CWE-94: Improper Control of Generation of Code ('Code Injection') •