Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:20 января 2007 г.
Источник:
SecurityVulns ID:7072
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:SMF : Simple Machines Forum 1.1
 ARSDIGITA : Ars Digita Community System 4.2
 ARSDIGITA : ACS-Java 3.4
 ARSDIGITA : ACS-Java 4.0
 ARSDIGITA : ACS-Java 4.7
 SUBROSUS : sabros.us 1.7
 EASYEBAYRESOURCE : Login Manager 3.0
CVE:CVE-2007-0468 (Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (MSVC) in Microsoft Visual Studio 6.0 SP6 allows user-assisted remote attackers to execute arbitrary code via a long file path in the "1 TYPELIB MOVEABLE PURE" option in an RC file.)
 CVE-2007-0403 (SQL injection vulnerability in admin/memberlist.php in Easebay Resources Paypal Subscription Manager allows remote attackers to execute arbitrary SQL commands via the keyword parameter.)
 CVE-2007-0402 (Cross-site scripting (XSS) vulnerability in admin/edit_member.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter.)
 CVE-2007-0401 (SQL injection vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to execute arbitrary SQL commands via the init_row parameter.)
 CVE-2007-0400 (Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.)
 CVE-2007-0399 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action.)
 CVE-2007-0398 (Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in Arnaud Guyonne (aka Arnotic) a-forum allow remote attackers to inject arbitrary web script or HTML via the (1) Sujet or (2) Pseudo field.)
 CVE-2007-0390 (Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 allows remote attackers to inject arbitrary web script or HTML via the tag parameter.)
 CVE-2007-0389 (Directory traversal vulnerability in ArsDigita Community System (ACS) 3.4.10 and earlier, and ArsDigita Community Education Solution (ACES) 1.1, allows remote attackers to read arbitrary files via .%252e/ (double-encoded dot dot slash) sequences in the URI.)
Оригинальный текстdocumentAdvisory_(at)_Aria-Security.net, SMF "index.php?action=pm" Cross Site-Scripting (20.01.2007)
 documentHackers Center Security Group, Paypal Subscription Manager Multiple HTML Injections (20.01.2007)
 documentHackers Center Security Group, Login Manager Multiple HTML Injections (20.01.2007)
 documentsn0oPy_(at)_avenir-geopolitique.net, a-forum xss (20.01.2007)
 documentCorryL, [x0n3-h4ck] sabros.us 1.7 XSS Exploit (20.01.2007)
 documentHackers Center Security Group, MyShoutBox Multiple Cross-Site Scripting Vulnerability (20.01.2007)
 documentElliot Kendall, Directory Traversal in ArsDigita Community System (20.01.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород