Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:14 марта 2007 г.
Источник:
SecurityVulns ID:7398
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:VBULLETIN : vBulletin 3.6
 XICE : X-ice News System 1.0
 PHPROJEKT : PHProjekt 5.2
 WSNGUEST : WSN Guest 1.21
 AMP : Activist Mobilization Platform 3.2
CVE:CVE-2007-1576 (Multiple cross-site scripting (XSS) vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Search (only Gecko engine driven Browsers), and (5) Notes modules; the (6) Mail summary page; and unspecified other files.)
 CVE-2007-1575 (Multiple SQL injection vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) unspecified vectors to the (a) calendar and (2) search modules, and an (2) unspecified cookie when the user logs out.)
 CVE-2007-1573 (SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field.)
 CVE-2007-1571 (PHP remote file inclusion vulnerability in includes/base.php in Radical Designs Activist Mobilization Platform (AMP) 3.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter.)
 CVE-2007-1570 (** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1438. Reason: This candidate is a duplicate of CVE-2007-1438. Notes: All CVE users should reference CVE-2007-1438 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.)
 CVE-2007-1517 (SQL injection vulnerability in comments.php in WSN Guest 1.02 and 1.21 allows remote attackers to execute arbitrary SQL commands via the id parameter.)
 CVE-2007-1438 (SQL injection vulnerability in devami.asp in X-Ice News System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.)
Оригинальный текстdocumenterdc_(at)_echo.or.id, [ECHO_ADV_71$2007] AMP v3.2 (base_path) Remote File Inclusion Vulnerability (14.03.2007)
 documentdisfigure, [Full-disclosure] vbulletin admincp sql injection (14.03.2007)
 documentsecurity_(at)_nruns.com, n.runs-SA-2007.003 - PHProjekt 5.2.0 - SQL Injection (14.03.2007)
 documentsecurity_(at)_nruns.com, n.runs-SA-2007.004 - PHProjekt 5.2.0 - Cross Site Scripting and Filter Evasion (14.03.2007)
 documentsecurity_(at)_nruns.com, n.runs-SA-2007.005 - PHProjekt 5.2.0 - Cross Site Request Forgery (14.03.2007)
 documentsecurity_(at)_nruns.com, n.runs-SA-2007.006 - PHProjekt 5.2.0 - Privilege escalation (14.03.2007)
 documentCyberGhost, X-ice News System v1.0 Remote SQL Injection Vulnerability (14.03.2007)
 documentDj7xpl, GestArt beta 1 (aide.php aide) Remote File Inclusion Vulnerability: (14.03.2007)
Файлы:WSN Guest 1.21 Version Comments.PHP "ID" SQL Injection Exploit

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород