Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:29 мая 2007 г.
Источник:
SecurityVulns ID:7755
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:EGGBLOG : EggBlog 3.1
 DGNEWS : DGNews 2.1
 MYWEBLAND : MyEvent 1.6
CVE:CVE-2007-0694 (Cross-site scripting (XSS) vulnerability in footer.php in DGNews 2.1 allows remote attackers to inject arbitrary web script or HTML via the copyright parameter.)
 CVE-2007-0693 (SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newslist action. NOTE: this issue can produce resultant cross-site scripting (XSS).)
 CVE-2007-0692 (DGNews 2.1 allows remote attackers to obtain sensitive information via a fullnews request to news.php with an invalid newsid parameter, and other unspecified vectors, which reveal the path in various error messages.)
 CVE-2007-0690 (myEvent 1.6 allows remote attackers to obtain sensitive information via (1) a Log In action without a password to login.php, or an invalid (2) view[] or (3) monthno[] parameter to myevent.php, which reveals the path in various error messages.)
Оригинальный текстdocumentAesthetico, [MajorSecurity Advisory #48]eggblog - Session fixation Issue (29.05.2007)
 documentlaurent gaffie, Re: DGNews version 2.1 SQL Injection Vulnerability (29.05.2007)
 documentMichal Majchrowicz, [Full-disclosure] Uebimiau Webmail Multiple Vulnerabilities (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, DGNews version 2.1 Path Disclosure Vulnerability (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, DGNews version 2.1 SQL Injection Vulnerability (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, myEvent version 1.6 Multiple Path Disclosure Vulnerabilities (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, DGNews version 2.1 XSS Attack Vulnerability (29.05.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород