MidnightBSD

Advisories for vwar

CVE-2005-4748 MEDIUM

PHP remote file include vulnerability in functions_admin.php in Virtual War (VWar) 1.5.0 R10 allows remote attackers to include and execute arbitrary PHP code via unspecified attack vectors. NOTE: this issue has been referred to as XSS, but it is clear from the vendor description that it is a file inclusion problem.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vwar virtual_war 1.3
vwar virtual_war 1.4
vwar virtual_war 1.5.0_r10
CVE-2006-1503 MEDIUM

PHP remote file inclusion vulnerability in includes/functions_install.php in Virtual War (VWar) 1.5.0 R11 and earlier allows remote attackers to include and execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1636.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
vwar virtual_war 1.0.4
vwar virtual_war 1.1.4
vwar virtual_war 1.4
vwar virtual_war 1.2.1
vwar virtual_war 1.0.5
vwar virtual_war 1.1.6
vwar virtual_war 1.5.0_r1
vwar virtual_war 1.5.0_r7
vwar virtual_war 1.0.3
vwar virtual_war 1.3
vwar virtual_war 1.1.5
vwar virtual_war 1.1.8
vwar virtual_war 1.1.1
vwar virtual_war 1.0.0
vwar virtual_war 1.5.0_r3
vwar virtual_war 1.0.7
vwar virtual_war 1.5.0_r4
vwar virtual_war 1.2.2
vwar virtual_war 1.5.0_r10
vwar virtual_war 1.1.7
vwar virtual_war 1.2.0
vwar virtual_war 1.5.0_r6
vwar virtual_war 1.5.0_r2
vwar virtual_war 1.5.0_r8
vwar virtual_war 1.0.9
vwar virtual_war 1.5
vwar virtual_war 1.5.0_r5
vwar virtual_war 1.1.2
vwar virtual_war 1.0.1
vwar virtual_war 1.1.3
vwar virtual_war 1.0.6
vwar virtual_war 1.0.2
vwar virtual_war 1.1.0
vwar virtual_war 1.0.8
vwar virtual_war 1.5.0_r11
vwar virtual_war 1.5.0_r9
CVE-2006-1636 HIGH

PHP remote file inclusion vulnerability in get_header.php in VWar 1.5.0 R12 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter. NOTE: this is a different vulnerability than CVE-2006-1503.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
vwar virtual_war 1.0.4
vwar virtual_war 1.1.4
vwar virtual_war 1.4
vwar virtual_war 1.2.1
vwar virtual_war 1.0.5
vwar virtual_war 1.1.6
vwar virtual_war 1.5.0_r1
vwar virtual_war 1.5.0_r7
vwar virtual_war 1.0.3
vwar virtual_war 1.3
vwar virtual_war 1.1.5
vwar virtual_war 1.1.8
vwar virtual_war 1.1.1
vwar virtual_war 1.0.0
vwar virtual_war 1.5.0_r3
vwar virtual_war 1.0.7
vwar virtual_war 1.5.0_r4
vwar virtual_war 1.2.2
vwar virtual_war 1.5.0_r10
vwar virtual_war 1.1.7
vwar virtual_war 1.2.0
vwar virtual_war 1.5.0_r6
vwar virtual_war 1.5.0_r2
vwar virtual_war 1.5.0_r8
vwar virtual_war 1.0.9
vwar virtual_war 1.5
vwar virtual_war 1.5.0_r5
vwar virtual_war 1.1.2
vwar virtual_war 1.0.1
vwar virtual_war 1.1.3
vwar virtual_war 1.0.6
vwar virtual_war 1.0.2
vwar virtual_war 1.1.0
vwar virtual_war 1.0.8
vwar virtual_war 1.5.0_r12
vwar virtual_war 1.5.0_r11
vwar virtual_war 1.5.0_r9
CVE-2006-1747 HIGH

PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter to (1) admin/admin.php, (2) war.php, (3) stats.php, (4) news.php, (5) joinus.php, (6) challenge.php, (7) calendar.php, (8) member.php, (9) popup.php, and other unspecified scripts in the admin folder. NOTE: these are different attack vectors than CVE-2006-1636 and CVE-2006-1503.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vwar virtual_war 1.5.0
CVE-2006-2091 MEDIUM

admin.php in Virtual War (VWar) 1.5 and versions before 1.2 allows remote attackers to obtain sensitive information via an invalid vwar_root parameter, which reveals the path in an error message.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
vwar virtual_war 1.0.4
vwar virtual_war 1.1.4
vwar virtual_war 1.0.9
vwar virtual_war 1.5
vwar virtual_war 1.0.5
vwar virtual_war 1.1.6
vwar virtual_war 1.1.2
vwar virtual_war 1.0.1
vwar virtual_war 1.1.3
vwar virtual_war 1.0.3
vwar virtual_war 1.0.6
vwar virtual_war 1.0.2
vwar virtual_war 1.1.0
vwar virtual_war 1.1.5
vwar virtual_war 1.1.8
vwar virtual_war 1.1.1
vwar virtual_war 1.0.0
vwar virtual_war 1.0.7
vwar virtual_war 1.0.8
vwar virtual_war 1.1.7
CVE-2006-3139 HIGH

Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vwar virtual_war 1.5.0_r5
vwar virtual_war 1.5.0_r1
vwar virtual_war 1.5.0_r7
vwar virtual_war *
vwar virtual_war 1.5.0_r3
vwar virtual_war 1.5.0_r4
vwar virtual_war 1.5.0_r10
vwar virtual_war 1.5.0_r13
vwar virtual_war 1.5.0_r12
vwar virtual_war 1.5.0_r11
vwar virtual_war 1.5.0_r6
vwar virtual_war 1.5.0_r2
vwar virtual_war 1.5.0_r8
vwar virtual_war 1.5.0_r9
CVE-2011-3813 MEDIUM

Virtual War (aka VWar) 1.5.0r15 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/language/dutch.inc.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
vwar virtual_war 1.5.0