CVE-2006-5432 - Unpeopled Autos
Description
Multiple direct static code injection vulnerabilities in db/txt.inc.php in phpPowerCards 2.10 when register_globals is enabled allow remote attackers to create or overwrite arbitrary files via the (1) email[to] (2) email[from] (3) name[to] (4) name[from] (5) picture (6) comment or (7) sessionID parameter as demonstrated by creating a new .php file that permits remote file inclusion and then requesting this file.
Reference
http://www.securityfocus.com/bid/20620 http://www.osvdb.org/29840 http://secunia.com/advisories/22471 http://www.vupen.com/english/advisories/2006/4105 https://exchange.xforce.ibmcloud.com/vulnerabilities/29669 https://www.exploit-db.com/exploits/2590