[VIM] [Fwd: SPAW Editor PHP Edition]

security curmudgeon jericho at attrition.org
Fri Mar 2 19:22:18 EST 2007

: By the way, it's been on my to-do list to investigate other disclosures 
: involving $spaw_root in other products; looks like SPAW Editor is 
: included in other products.

From: security curmudgeon <jericho at attrition.org>
To: OSVDB Mods <moderators at osvdb.org>
Cc: Steven Christey <coley at mitre.org>
Date: Mon, 27 Nov 2006 06:37:24 -0500 (EST)
Reply-To: moderators at osvdb.org
Subject: [OSVDB Mods] omg omg SPAW

I sent this mail out just days before I got slammed with work and never 
got around to looking at it in more detail. This was specifically over 
spaw_control.class.php being found vulnerable in a number of packages.

: CVE-2006-5459 -  Download-Engine
: CVE-2006-5291 -  Download-Engine
: CVE-2006-4656 - Web Provence SL_Site
: CVE-2006-2928 - CMS-Bandits
: CVE-2006-2519 - phpwcms

OSVDB 26368
AWF CMS spaw_control.class.php spaw_root Variable Remote File Inclusion

OSVDB 18155
Website Generator spaw_control.class.php Direct Request Path Disclosure

More information about the VIM mailing list