Security Vulnerabilities, CVEs, Published In 2010 (File inclusion)

Multiple PHP remote file inclusion vulnerabilities in IsolSoft Support Center 2.5 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) newticket.php or (2) rempass.php, or a URL in the lang parameter in an adduser action to (3) index.php. NOTE: this can also be leveraged to include and execute arbitrary local files via .. (dot dot) sequences.

PHP remote file inclusion vulnerability in index.php in Cromosoft Technologies Facil Helpdesk 2.3 Lite allows remote attackers to execute arbitrary PHP code via a URL in the lng parameter. NOTE: this can also be leveraged to include and execute arbitrary local files via .. (dot dot) sequences.

PHP remote file inclusion vulnerability in mamboleto.php in the Fernando Soares Mamboleto (com_mamboleto) component 2.0 RC3 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.

Multiple PHP remote file inclusion vulnerabilities in Moa Gallery 1.2.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the MOA_PATH parameter to (1) _error_funcs.php, (2) _integrity_funcs.php, (3) _template_component_admin.php, (4) _template_component_gallery.php, (5) _template_parser.php, (6) mod_gallery_funcs.php, (7) mod_image_funcs.php, (8) mod_tag_funcs.php, (9) mod_tag_view.php, (10) mod_upgrade_funcs.php, (11) mod_user_funcs.php, (12) page_admin.php, (13) page_gallery_add.php, (14) page_gallery_view.php, (15) page_image_add.php, (16) page_image_view_full.php, (17) page_login.php, and (18) page_sitemap.php in sources/.

PHP remote file inclusion vulnerability in admin/admin_news_bot.php in Drunken:Golem Gaming Portal 0.5.1 alpha 2 allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter, a different vector than CVE-2007-0572.

Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php. NOTE: this might be the same as CVE-2020-35598.

Multiple PHP remote file inclusion vulnerabilities in Webradev Download Protect 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[RootPath] parameter to (1) Framework/EmailTemplates.class.php, (2) Customers/PDPEmailReplaceConstants.class.php, and (3) Admin/ResellersManager.class.php in includes/DProtect/.

Multiple PHP remote file inclusion vulnerabilities in GraFX MiniCWB 2.3.0 allow remote attackers to execute arbitrary PHP code via a URL in the LANG parameter to (1) en.inc.php, (2) hu.inc.php, (3) no.inc.php, (4) ro.inc.php, and (5) ru.inc.php in language/.

PHP remote file inclusion vulnerability in index.php in SkaDate Dating allows remote attackers to execute arbitrary PHP code via a URL in the language_id parameter. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences.

PHP remote file inclusion vulnerability in public/code/cp_html2xhtmlbasic.php in All In One Control Panel (AIOCP) 1.4.001 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter, a different vector than CVE-2009-3220.

PHP remote file inclusion vulnerability in home.php in Top Paidmailer allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.

PHP remote file inclusion vulnerability in anzeiger/start.php in Swinger Club Portal allows remote attackers to execute arbitrary PHP code via a URL in the go parameter.

Multiple PHP remote file inclusion vulnerabilities in NukeHall 0.3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter to (1) blocks.php, (2) messages.php, and (3) stories.php in admin/modules/.

Multiple PHP remote file inclusion vulnerabilities in the MojoBlog component RC 0.15 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) wp-comments-post.php and (2) wp-trackback.php.

PHP remote file inclusion vulnerability in index.php in CMS S.Builder 3.7 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in a binn_include_path cookie. NOTE: this can also be leveraged to include and execute arbitrary local files.

PHP remote file inclusion vulnerability in config.php in TotalCalendar 2.4 allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter, a different vector than CVE-2006-1922 and CVE-2006-7055.

PHP remote file inclusion vulnerability in index.php in MyBackup 1.4.0 allows remote authenticated users to execute arbitrary PHP code via a URL in the main_content parameter.

PHP remote file inclusion vulnerability in home.php in LM Starmail Paidmail 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.

Multiple PHP remote file inclusion vulnerabilities in BitScripts Bits Video Script 2.05 Gold Beta, and possibly 2.04, allow remote attackers to execute arbitrary PHP code via a URL in the rowptem[template] parameter to (1) showcasesearch.php and (2) showcase2search.php.

PHP remote file inclusion vulnerability in includes/moderation.php in Katalog Stron Hurricane 1.3.5, and possibly earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the includes_directory parameter.

PHP remote file inclusion vulnerability in include/WBmap.php in WikyBlog 1.7.3 rc2 allows remote attackers to execute arbitrary PHP code via a URL in the langFile parameter.

PHP remote file inclusion vulnerability in inc/config.php in deV!L`z Clanportal (DZCP) 1.5.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the basePath parameter.

PHP remote file inclusion vulnerability in external.php in PHPCityPortal allows remote attackers to execute arbitrary PHP code via a URL in the url parameter.

PHP remote file inclusion vulnerability in include/mail.inc.php in Rezervi 3.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the root parameter, a different vector than CVE-2007-2156.

Multiple PHP remote file inclusion vulnerabilities in osDate 2.1.9 and 2.5.4, when magic_quotes_gpc is disabled and register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the config[forum_installed] parameter to (1) forum/adminLogin.php and (2) forum/userLogin.php. NOTE: some of these details are obtained from third party information.