Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
дополнено с 5 марта 2007 г.
Опубликовано:5 марта 2007 г.
Источник:
SecurityVulns ID:7347
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:UPLOADSCRIPT : UploadScript 1.02
 WORDPRESS : WordPress 2.1
 RRDBROWSE : rrdbrowse 1.6
 EPORTFOLIO : ePortfolio 1.0
 SAVASPLACE : Sava's GuestBook 23.11.2006
 LISCRIPTS : LI-Guestbook 1.1
 VCARD : vCard 2.6
CVE:CVE-2007-1332 (Multiple cross-site request forgery (CSRF) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to perform unspecified restricted actions in the context of certain accounts by bypassing the client-side protection scheme.)
 CVE-2007-1331 (Multiple cross-site scripting (XSS) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to inject arbitrary web script or HTML via unspecified vectors that bypass the client-side protection scheme, one of which may be the q parameter to the search program. NOTE: some of these details are obtained from third party information.)
 CVE-2007-1305 (Multiple cross-site scripting (XSS) vulnerabilities in add2.php in Sava's Guestbook 23.11.2006 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) country, (3) email, and (4) website parameters.)
 CVE-2007-1304 (Multiple SQL injection vulnerabilities in add2.php in Sava's Guestbook 23.11.2006, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) country, (3) email, (4) website, and (5) message parameters.)
 CVE-2007-1303 (Directory traversal vulnerability in rb.cgi in RRDBrowse 1.6 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.)
 CVE-2007-1302 (SQL injection vulnerability in guestbook.php in LI-Guestbook 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter.)
Оригинальный текстdocumentciri_(at)_virtuax.be, Wordpress <= v2.1.0 (05.03.2007)
 documentRaeD Hasadya, XSS Remote In vCard 2.6 (c)2002 (05.03.2007)
 documentSebastian Wolfgarten, Arbitrary file disclosure vulnerability in rrdbrowse <= 1.6 (05.03.2007)
 documentbugtraq_(at)_belsec.com, LI-Guestbook SQL Injection Vulnerability (05.03.2007)
 documentbugtraq_(at)_belsec.com, Sava's GuestBook Multiple Vulnerabilities (05.03.2007)
 documentRaeD Hasadya, XXS in script Phorum (05.03.2007)
 documentRaeD Hasadya, Show Password Admin In Script Uploadscript (05.03.2007)
 documentStefan Friedli, ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities (05.03.2007)
 documentSebastian Wolfgarten, [Full-disclosure] Arbitrary file disclosure vulnerability in rrdbrowse <= 1.6 (05.03.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород