PHP remote file include vulnerability in functions_admin.php in Virtual War (VWar) 1.5.0 R10 allows remote attackers to include and execute arbitrary PHP code via unspecified attack vectors. NOTE: this issue has been referred to as XSS, but it is clear from the vendor description that it is a file inclusion problem.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vwar | virtual_war | 1.3 |
| vwar | virtual_war | 1.4 |
| vwar | virtual_war | 1.5.0_r10 |
PHP remote file inclusion vulnerability in includes/functions_install.php in Virtual War (VWar) 1.5.0 R11 and earlier allows remote attackers to include and execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1636.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vwar | virtual_war | 1.0.4 |
| vwar | virtual_war | 1.1.4 |
| vwar | virtual_war | 1.4 |
| vwar | virtual_war | 1.2.1 |
| vwar | virtual_war | 1.0.5 |
| vwar | virtual_war | 1.1.6 |
| vwar | virtual_war | 1.5.0_r1 |
| vwar | virtual_war | 1.5.0_r7 |
| vwar | virtual_war | 1.0.3 |
| vwar | virtual_war | 1.3 |
| vwar | virtual_war | 1.1.5 |
| vwar | virtual_war | 1.1.8 |
| vwar | virtual_war | 1.1.1 |
| vwar | virtual_war | 1.0.0 |
| vwar | virtual_war | 1.5.0_r3 |
| vwar | virtual_war | 1.0.7 |
| vwar | virtual_war | 1.5.0_r4 |
| vwar | virtual_war | 1.2.2 |
| vwar | virtual_war | 1.5.0_r10 |
| vwar | virtual_war | 1.1.7 |
| vwar | virtual_war | 1.2.0 |
| vwar | virtual_war | 1.5.0_r6 |
| vwar | virtual_war | 1.5.0_r2 |
| vwar | virtual_war | 1.5.0_r8 |
| vwar | virtual_war | 1.0.9 |
| vwar | virtual_war | 1.5 |
| vwar | virtual_war | 1.5.0_r5 |
| vwar | virtual_war | 1.1.2 |
| vwar | virtual_war | 1.0.1 |
| vwar | virtual_war | 1.1.3 |
| vwar | virtual_war | 1.0.6 |
| vwar | virtual_war | 1.0.2 |
| vwar | virtual_war | 1.1.0 |
| vwar | virtual_war | 1.0.8 |
| vwar | virtual_war | 1.5.0_r11 |
| vwar | virtual_war | 1.5.0_r9 |
PHP remote file inclusion vulnerability in get_header.php in VWar 1.5.0 R12 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1503.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vwar | virtual_war | 1.0.4 |
| vwar | virtual_war | 1.1.4 |
| vwar | virtual_war | 1.4 |
| vwar | virtual_war | 1.2.1 |
| vwar | virtual_war | 1.0.5 |
| vwar | virtual_war | 1.1.6 |
| vwar | virtual_war | 1.5.0_r1 |
| vwar | virtual_war | 1.5.0_r7 |
| vwar | virtual_war | 1.0.3 |
| vwar | virtual_war | 1.3 |
| vwar | virtual_war | 1.1.5 |
| vwar | virtual_war | 1.1.8 |
| vwar | virtual_war | 1.1.1 |
| vwar | virtual_war | 1.0.0 |
| vwar | virtual_war | 1.5.0_r3 |
| vwar | virtual_war | 1.0.7 |
| vwar | virtual_war | 1.5.0_r4 |
| vwar | virtual_war | 1.2.2 |
| vwar | virtual_war | 1.5.0_r10 |
| vwar | virtual_war | 1.1.7 |
| vwar | virtual_war | 1.2.0 |
| vwar | virtual_war | 1.5.0_r6 |
| vwar | virtual_war | 1.5.0_r2 |
| vwar | virtual_war | 1.5.0_r8 |
| vwar | virtual_war | 1.0.9 |
| vwar | virtual_war | 1.5 |
| vwar | virtual_war | 1.5.0_r5 |
| vwar | virtual_war | 1.1.2 |
| vwar | virtual_war | 1.0.1 |
| vwar | virtual_war | 1.1.3 |
| vwar | virtual_war | 1.0.6 |
| vwar | virtual_war | 1.0.2 |
| vwar | virtual_war | 1.1.0 |
| vwar | virtual_war | 1.0.8 |
| vwar | virtual_war | 1.5.0_r12 |
| vwar | virtual_war | 1.5.0_r11 |
| vwar | virtual_war | 1.5.0_r9 |
PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter to (1) admin/admin.php, (2) war.php, (3) stats.php, (4) news.php, (5) joinus.php, (6) challenge.php, (7) calendar.php, (8) member.php, (9) popup.php, and other unspecified scripts in the admin folder. NOTE: these are different attack vectors than CVE-2006-1636 and CVE-2006-1503.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vwar | virtual_war | 1.5.0 |
admin.php in Virtual War (VWar) 1.5 and versions before 1.2 allows remote attackers to obtain sensitive information via an invalid vwar_root parameter, which reveals the path in an error message.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vwar | virtual_war | 1.0.4 |
| vwar | virtual_war | 1.1.4 |
| vwar | virtual_war | 1.0.9 |
| vwar | virtual_war | 1.5 |
| vwar | virtual_war | 1.0.5 |
| vwar | virtual_war | 1.1.6 |
| vwar | virtual_war | 1.1.2 |
| vwar | virtual_war | 1.0.1 |
| vwar | virtual_war | 1.1.3 |
| vwar | virtual_war | 1.0.3 |
| vwar | virtual_war | 1.0.6 |
| vwar | virtual_war | 1.0.2 |
| vwar | virtual_war | 1.1.0 |
| vwar | virtual_war | 1.1.5 |
| vwar | virtual_war | 1.1.8 |
| vwar | virtual_war | 1.1.1 |
| vwar | virtual_war | 1.0.0 |
| vwar | virtual_war | 1.0.7 |
| vwar | virtual_war | 1.0.8 |
| vwar | virtual_war | 1.1.7 |
Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vwar | virtual_war | 1.5.0_r5 |
| vwar | virtual_war | 1.5.0_r1 |
| vwar | virtual_war | 1.5.0_r7 |
| vwar | virtual_war | * |
| vwar | virtual_war | 1.5.0_r3 |
| vwar | virtual_war | 1.5.0_r4 |
| vwar | virtual_war | 1.5.0_r10 |
| vwar | virtual_war | 1.5.0_r13 |
| vwar | virtual_war | 1.5.0_r12 |
| vwar | virtual_war | 1.5.0_r11 |
| vwar | virtual_war | 1.5.0_r6 |
| vwar | virtual_war | 1.5.0_r2 |
| vwar | virtual_war | 1.5.0_r8 |
| vwar | virtual_war | 1.5.0_r9 |
Virtual War (aka VWar) 1.5.0r15 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/language/dutch.inc.php and certain other files.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vwar | virtual_war | 1.5.0 |