MidnightBSD

Advisories for bugada_andrea

CVE-2005-1604 HIGH

PHP Advanced Transfer Manager (phpATM) 1.21 allows remote attackers to upload arbitrary files via filenames containing multiple file extensions, as demonstrated using a filename ending in "php.ns", which allows execution of arbitrary PHP code.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
bugada_andrea php_advanced_transfer_manager 1.21
CVE-2005-1681 HIGH

PHP remote file inclusion vulnerability in common.php in phpATM 1.21, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via a URL in the include_location parameter to index.php.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
bugada_andrea php_advanced_transfer_manager 1.20
bugada_andrea php_advanced_transfer_manager 1.21
CVE-2005-2997 MEDIUM

Multiple directory traversal vulnerabilities in PHP Advanced Transfer Manager 1.30 allow remote attackers to read arbitrary files via ".." sequences in (1) the currentdir parameter to txt.php, or the current_dir parameter to (2) htm.php or (3) html.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
bugada_andrea php_advanced_transfer_manager 1.30
CVE-2005-2998 HIGH

PHP Advanced Transfer Manager 1.30 has a default password for the administrator user, which allows remote attackers to upload and execute arbitrary PHP files.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
bugada_andrea php_advanced_transfer_manager 1.30
CVE-2005-2999 MEDIUM

PHP Advanced Transfer Manager 1.30 allows remote attackers to obtain sensitive PHP configuration information via a direct request to test.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
bugada_andrea php_advanced_transfer_manager 1.30
CVE-2005-3000 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in viewers/txt.php in PHP Advanced Transfer Manager 1.30 allow remote attackers to inject arbitrary web script or HTML via the (1) font, (2) normalfontcolor, or (3) mess[31] parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
bugada_andrea php_advanced_transfer_manager 1.30
CVE-2006-1209 MEDIUM

PHP Advanced Transfer Manager 1.00 through 1.30 stores sensitive information, including password hashes, under the web root with insufficient access control, which allows remote attackers to download each password hash via a direct request for a users/[USERNAME] file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
bugada_andrea php_advanced_transfer_manager 1.01
bugada_andrea php_advanced_transfer_manager 1.00
bugada_andrea php_advanced_transfer_manager 1.03
bugada_andrea php_advanced_transfer_manager 1.02
bugada_andrea php_advanced_transfer_manager 1.20
bugada_andrea php_advanced_transfer_manager 1.21
bugada_andrea php_advanced_transfer_manager 1.30
bugada_andrea php_advanced_transfer_manager 1.22