Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:8 мая 2007 г.
Источник:
SecurityVulns ID:7676
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:OTRS : OTRS 2.0
 ADVANCEDGUESTBOO : Advanced Guestbook 2.4
 PHPHTMLLIB : PHPHtmlLib 2.4
 AMEROCANCART : american cart 3.5
 FIPSASP : fipsCMS 2.1
 PFA : pfa CMS 6.0
CVE:CVE-2007-0609 (Directory traversal vulnerability in Advanced Guestbook 2.4.2 allows remote attackers to bypass .htaccess settings, and execute arbitrary PHP local files or read arbitrary local templates, via a .. (dot dot) in a lang cookie, followed by a filename without its .php extension, as demonstrated via a request to index.php.)
 CVE-2007-0608 (Advanced Guestbook 2.4.2 allows remote attackers to obtain sensitive information via an invalid (1) GB_TBL parameter to (a) lang/codes-english.php or (b) image.php, which reveal the database name; (2) an invalid GB_DB parameter to index.php, coupled with a ../index lang cookie, which reveals the installation path; or (3) a direct request to index.php with no parameters or cookies, which reveals the installation path.)
 CVE-2007-0605 (Cross-site scripting (XSS) vulnerability in picture.php in Advanced Guestbook 2.4.2 allows remote attackers to inject arbitrary web script or HTML via the picture parameter.)
Оригинальный текстdocumentsecurityresearch_(at)_netvigilance.com, [Full-disclosure] Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability (08.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, [Full-disclosure] Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities (08.05.2007)
 documentilkerKandemir_(at)_mynet.com, pfa CMS v6.0 (index.php repinc) Remote File Include Vulnerability (08.05.2007)
 documentilkerKandemir_(at)_mynet.com, fipsCMS v2.1 Remote SQL injection Vulnerability (08.05.2007)
 documentilkerKandemir_(at)_mynet.com, phpHoo3 (admin.php) Remote Login Bypass SQL Injection Vulnerability (08.05.2007)
 documentkepledehlah_(at)_eluwini.co.uk, american cart 3.* (abs_path) remote file include (08.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, Advanced Guestbook version 2.4.2 Multiple Error Information Leak Vulnerabilities (08.05.2007)
 documentciri_(at)_virtuax.be, OTRS <= 2.0.x XSS/XSRF (08.05.2007)
Файлы:PHPHtmlLib <= Remote File Include Exploit

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород