Vulnerabilities > CVE-2008-3354 - Code Injection vulnerability in Runcms Newbb Plus Module and Runcms
Multiple PHP remote file inclusion vulnerabilities in the Newbb Plus (newbb_plus) module 0.93 in RunCMS 1.6.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) bbPath[path] parameter to votepolls.php and the (2) bbPath[root_theme] parameter to config.php, different vectors than CVE-2006-0659. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
description RunCMS 1.6.1 votepolls.php bbPath[path] Parameter Remote File Inclusion. CVE-2008-3354. Webapps exploit for php platform id EDB-ID:32099 last seen 2016-02-03 modified 2008-07-21 published 2008-07-21 reporter Ciph3r source https://www.exploit-db.com/download/32099/ title RunCMS 1.6.1 - votepolls.php bbPathpath Parameter Remote File Inclusion description RunCMS 1.6.1 config.php bbPath[root_theme] Parameter Remote File Inclusion. CVE-2008-3354 . Webapps exploit for php platform id EDB-ID:32100 last seen 2016-02-03 modified 2008-07-21 published 2008-07-21 reporter Ciph3r source https://www.exploit-db.com/download/32100/ title RunCMS 1.6.1 - config.php bbPathroot_theme Parameter Remote File Inclusion