An unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.
tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.
The spywall/blocked_file.php script of Symantec Web Gateway allows remote unauthenticated users to upload files with arbitrary extensions. This can be abused by attackers to execute arbitrary PHP code on vulnerable systems.
The vulnerability is caused by scripts using "unserialize()" with user controlled input. This can be exploited to execute arbitrary PHP code via the "__destruct()" method of the "SugarTheme" class or passing an ad-hoc serialized object through the $_REQUEST['current_query_by_page'] input variable.
Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name. This module starts a web server on the Core Impact Console to publish the agent, which is downloaded from the target
Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.
phpMyAdmin is vulnerable to a remote code execution due the use of the unserialize method on user supplied data. This data is written in the config file and is accessible from the internet by default.
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to "query_engine", "query" is set to "none", and "search" is set to e.g. "1") is not properly sanitised in lib/functions.php before being used in a "create_function()" function call. This can be exploited to inject and execute arbitrary PHP code.
By including shell meta characters within the second parameter to the 'urt_test_url' XML-RPC methodCall, an attacker can execute arbitrary commands. The service typically runs with root privileges.