Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.
https://www.exploit-db.com/exploits/1663
https://exchange.xforce.ibmcloud.com/vulnerabilities/24052
http://www.vupen.com/english/advisories/2006/1332
http://www.vupen.com/english/advisories/2006/1305
http://www.vupen.com/english/advisories/2006/0104
http://www.vupen.com/english/advisories/2006/0103
http://www.vupen.com/english/advisories/2006/0102
http://www.vupen.com/english/advisories/2006/0101
http://www.securityfocus.com/archive/1/430743/100/0/threaded
http://www.securityfocus.com/archive/1/430448/100/0/threaded
http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml
http://www.debian.org/security/2006/dsa-1031
http://www.debian.org/security/2006/dsa-1030
http://www.debian.org/security/2006/dsa-1029
http://secunia.com/advisories/19691
http://secunia.com/advisories/19628
http://secunia.com/advisories/19600
http://secunia.com/advisories/19591
http://secunia.com/advisories/19590
http://secunia.com/advisories/19555
http://secunia.com/advisories/18276
http://secunia.com/advisories/18267
http://secunia.com/advisories/18260