Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:25 марта 2007 г.
Источник:
SecurityVulns ID:7465
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:PHPBB : phpBB 2.0
 MOODLE : Moodle 1.5
 WORDPRESS : WordPress 2.0
 MONSTERTOPLIST : Monster Top List 1.4
 PBLANG : PBlang 4.66
 NPDS : Net Portal Dynamic System 5.10
 METAFORUM : MetaForum 0.513
 FILEUPLOAD : File Upload System 1.0
 APBN : Active PHP Bookmark Notes 0.2
 GUESTBARA : Guestbara 1.2
 SCRIPTMAGIX : ScriptMagix Photo Rating 2.0
 SCRIPTMAGIX : ScriptMagix FAQ Builder 2.0
 SCRIPTMAGIX : ScriptMagix Recipes 2.0
 SCRIPTMAGIX : ScriptMagix Lyrics 2.0
 SCRIPTMAGIX : ScriptMagix Jokes 2.0
 KATALOGPLYTAUDIO : Katalog Plyt Audio 1.0
 PHPNUKE : Splatt Forum 4.0 PHP-Nuke module
 PHPBB : Minerva 2.0 phpBB module
 PRAGMAMX : pragmaMX Landkartenmodule 2.1
 GEBLOG : GeBlog 0.1
 CLASSWEB : ClassWeb 2.03
 PHILEX : Philex 0.2
 MAMBO : Flatmenu 1.05 module for Mambo
 MAMBO : SWmenu 4.0 module for Mambo
 JOOMLA : Joomlaboard 1.1 component for Joomla
 DIGITALEYE : Digital Eye Gallery 1.1
 PHPREVISTA : php-revista 1.1
 JOOMLA : NFN Address Book 0.4 module for Joomla
 PHPNUKE : htmltonuke 2.0 module for PHP-Nuke
 ACTIVEWEB : Active Photo Gallery
 ACTIVEWEB : Active BuyandSell 6.2
 ACTIVEWEB : Active Auction
 ACTIVEWEB : Active Link Engine
 ACTIVEWEB : Active Trade 2
 PORTAILPHP : Portail PHP 2.0
 TTCMS : ttCMS 4
 LMS : LMS 1.8
 ASPWEBCALENDAR : aspWebCalendar 4.5
 ROSECMS : RoseOnlineCMS 3
 ACTIVEWEB : Active Newsletter 4.3
 ACTIVEWEB : eWebquiz 8
 JOOMLA : RWCards 2.3 component for Joomla
 JOOMLA : Car Manager 1,1 component for Joomla
 FREEIMAGEHOSTING : Free Image Hosting 2.0
 REALGUESTBOOK : realGuestbook 5.01
 TYPOLIGHT : TYPOlight webCMS 2.2
 ZOPE : zope 2.10
 STATSDAWG : StatsDawg 0.92
CVE:CVE-2007-1715 (PHP remote file inclusion vulnerability in frontpage.php in Free Image Hosting 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AD_BODY_TEMP parameter. NOTE: the forgot_pass.php vector is already covered by CVE-2006-5670, and the login.php vector overlaps CVE-2006-5763.)
 CVE-2007-1712 (SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Auction Pro 7.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
 CVE-2007-1708 (PHP remote file inclusion vulnerability in lib/db/ez_sql.php in ttCMS 4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the lib_path parameter.)
 CVE-2007-1707 (PHP remote file inclusion vulnerability in index.php in Net Side Content Management System (Net-Side.net CMS) allows remote attackers to execute arbitrary PHP code via a URL in the cms parameter.)
 CVE-2007-1706 (SQL injection vulnerability in eWebQuiz.asp in eWebQuiz 8 allows remote attackers to execute arbitrary SQL commands via the QuizID parameter.)
 CVE-2007-1705 (SQL injection vulnerability in default.asp in Active Trade 2 allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
 CVE-2007-1704 (SQL injection vulnerability in index.php in the Car Manager (com_resman) 1.1 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter.)
 CVE-2007-1703 (SQL injection vulnerability in index.php in the RWCards (com_rwcards) 2.4.3 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter.)
 CVE-2007-1702 (PHP remote file inclusion vulnerability in mod_flatmenu.php in the Flatmenu 1.07 and earlier Mambo module allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.)
 CVE-2007-1699 (Multiple PHP remote file inclusion vulnerabilities in the SWmenu (com_swmenupro and com_swmenufree) 4.0 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to ImageManager/Classes/ImageManager.php under the (1) components/ or (2) administrator/components/ directory trees.)
 CVE-2007-1698 (download.php in Philex 0.2.3 and earlier allows remote attackers to read arbitrary files and source code, and obtain sensitive information via the file parameter.)
 CVE-2007-1697 (PHP remote file inclusion vulnerability in header.inc.php in Philex 0.2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CssFile parameter.)
 CVE-2007-1696 (SQL injection vulnerability in ViewNewspapers.asp in Active Newsletter 4.3 and earlier allows remote attackers to execute arbitrary SQL commands via the NewsPaperID parameter.)
 CVE-2007-1695 (** DISPUTED ** PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks for a global constant and cannot be accessed directly.)
 CVE-2007-1656 (Multiple SQL injection vulnerabilities in index.php in Katalog Plyt Audio 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fraza and (2) litera parameters, different vectors than CVE-2007-1612. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-1652 (OpenID allows remote attackers to forcibly log a user into an OpenID enabled site, divulge the user's personal information to this site, and add it site to the trusted sites list via a crafted web page, related to cached tokens.)
 CVE-2007-1651 (Cross-site request forgery (CSRF) vulnerability in OpenID allows remote attackers to restore the login session of a user on an OpenID enabled site via unspecified vectors related to an arbitrary remote web site and cached tokens, after the user has signed into an OpenID server, logged into the OpenID enabled site, and then logged out of the OpenID enabled site.)
 CVE-2007-1647 (Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/.)
 CVE-2007-1643 (Multiple PHP remote file inclusion vulnerabilities in LAN Management System (LMS) 1.8.9 Vala and earlier allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG[directories][userpanel_dir] parameter to userpanel.php or the (2) _LIB_DIR parameter to welcome.php.)
 CVE-2007-1641 (SQL injection vulnerability in index.php in PortailPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the idnews parameter.)
 CVE-2007-1640 (Multiple PHP remote file inclusion vulnerabilities in ClassWeb 2.03 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the BASE parameter to (1) language.php and (2) phpadmin/survey.php.)
 CVE-2007-1637 (Multiple buffer overflows in the IMAILAPILib ActiveX control (IMailAPI.dll) in Ipswitch IMail Server before 2006.2 allow remote attackers to execute arbitrary code via the (1) WebConnect and (2) Connect members in the (a) IMailServer control; (3) Sync3 and (4) Init3 members in the (b) IMailLDAPService control; and the (5) SetReplyTo member in the (c) IMailUserCollection control.)
 CVE-2007-1636 (Directory traversal vulnerability in index.php in RoseOnlineCMS 3 B1 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the op parameter, as demonstrated by injecting PHP code into Apache log files via the URL and User-Agent HTTP header.)
 CVE-2007-1635 (Static code injection vulnerability in admin/settings.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote authenticated users to inject arbitrary PHP code via the xtop parameter in a "ConfigSave" op to admin.php, which can later be accessed via a "Configure" op to admin.php.)
 CVE-2007-1634 (Variable extraction vulnerability in grab_globals.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote attackers to conduct SQL injection attacks via the _FILES[DB][tmp_name] parameter to print.php, which overwrites the $DB variable with dynamic variable evaluation.)
 CVE-2007-1633 (Directory traversal vulnerability in bbcode_ref.php in the Giorgio Ciranni Splatt Forum 4.0 RC1 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by bbcode_ref.php.)
 CVE-2007-1632 (Unspecified vulnerability in TYPOlight webCMS before 2.2 Build 5 has unknown impact and attack vectors related to a "major security hole.")
 CVE-2007-1630 (SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Link Engine allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
 CVE-2007-1629 (SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Photo Gallery allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
 CVE-2007-1627 (Multiple SQL injection vulnerabilities in php-revista 1.1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_autor parameter to autor.php, the (2) id_articulo parameter to articulo.php, the (3) cadena parameter to busqueda.php, and the (4) email parameter to lista.php.)
 CVE-2007-1626 (PHP remote file inclusion vulnerability in iframe.php in the iFrame Module for PHP-NUKE allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.)
 CVE-2007-1625 (Cross-site scripting (XSS) vulnerability in save_entry.php in realGuestbook 5.01 allows remote attackers to inject arbitrary web script or HTML via the homepage parameter, as reachable through add_entry.php. NOTE: the original report stated that the vulnerability was in add_entry.php, which does not receive the input data.)
 CVE-2007-1624 (Multiple SQL injection vulnerabilities in realGuestbook 5.01 allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) homepage, and (4) text parameters to save_entry.php, as reachable through add_entry.php; and possibly other unspecified parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-1623 (Multiple cross-site scripting (XSS) vulnerabilities in realGuestbook 5.01, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) bg_color_1, (2) fs_menu, (3) fc_menu, (4) ff_menu, (5) bg_color_2, (6) fs_normal, (7) fc_normal, and (8) ff_normal parameters to welcome_admin.php; and possibly unspecified other parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-1622 (Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.)
 CVE-2007-1621 (PHP remote file inclusion vulnerability in templates/head.php in Active PHP Bookmark Notes (APB) 0.2.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the APB_SETTINGS[template_path] parameter. NOTE: this issue might be related to CVE-2003-1254.)
 CVE-2007-1619 (SQL injection vulnerability in viewcomments.php in ScriptMagix Photo Rating 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the phid parameter.)
 CVE-2007-1618 (SQL injection vulnerability in index.php in ScriptMagix FAQ Builder 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
 CVE-2007-1617 (SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
 CVE-2007-1616 (SQL injection vulnerability in index.php in ScriptMagix Lyrics 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the recid parameter.)
 CVE-2007-1615 (SQL injection vulnerability in index.php in ScriptMagix Jokes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
 CVE-2007-1612 (SQL injection vulnerability in index.php in Katalog Plyt Audio 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the kolumna parameter.)
 CVE-2007-1607 (search.php in w-Agora (Web-Agora) allows remote attackers to obtain potentially sensitive information via a ' (quote) value followed by certain SQL sequences in the (1) search_forum or (2) search_user parameter, which force a SQL error.)
 CVE-2007-1606 (Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php.)
 CVE-2007-1605 (w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1.)
 CVE-2007-1604 (Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg.)
 CVE-2007-1600 (PHP remote file inclusion vulnerability in module.php in Digital Eye Gallery 1.1 Beta (aka 0.1.1b) allows remote attackers to execute arbitrary PHP code via a URL in the menu parameter.)
 CVE-2007-1596 (Multiple PHP remote file inclusion vulnerabilities in the NFN Address Book (com_nfn_addressbook) 0.4 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) components/com_nfn_addressbook/nfnaddressbook.php or (2) administrator/components/com_nfn_addressbook/nfnaddressbook.php.)
 CVE-2007-1587 (templates/config/mail.tpl in Tim Soderstrom StatsDawg 0.92 allows remote attackers to execute arbitrary programs by specifying the program name in the qshapeLocation parameter.)
 CVE-2007-1577 (Directory traversal vulnerability in index.php in GeBlog 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[tplname] parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php.)
 CVE-2007-1566 (SQL injection vulnerability in News/page.asp in NetVIOS Portal allows remote attackers to execute arbitrary SQL commands via the NewsID parameter. NOTE: this issue might be the same as CVE-2006-5954.)
 CVE-2007-1555 (SQL injection vulnerability in forum.php in the Minerva mod 2.0.21 build 238a and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the c parameter.)
 CVE-2007-1554 (Direct static code injection vulnerability in admin/configuration.php in Guestbara 1.2 and earlier allows remote authenticated users to inject arbitrary PHP code into config.php via the (1) admin_mail, (2) emotpatch, (3) login, (4) pass, and unspecified other parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-1553 (admin/configuration.php in Guestbara 1.2 and earlier allows remote attackers to modify the e-mail, name, and password of the admin account by setting the zapis parameter to "ok" and providing modified admin_mail, login, and pass parameters.)
 CVE-2007-1552 (Unrestricted file upload vulnerability in usercp.php in MetaForum 0.513 Beta restricts file types based on the MIME type in the Content-type HTTP header, which allows remote attackers to upload and execute arbitrary scripts via an image MIME type with a filename containing an executable extension such as .php.)
 CVE-2007-1539 (Directory traversal vulnerability in inc/map.func.php in pragmaMX Landkarten 2.1 module allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the module_name parameter, as demonstrated via a static PHP code injection attack in an Apache log file.)
 CVE-2007-1524 (Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demonstrated by injecting PHP code into an Apache HTTP Server log file, which can then included via themes/default/.)
 CVE-2007-1524 (Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demonstrated by injecting PHP code into an Apache HTTP Server log file, which can then included via themes/default/.)
 CVE-2007-0240 (Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request.)
Оригинальный текстdocumentcrackers_child_(at)_sibersavascilar.com, Image_Upload Script Remote File Inclusion Exploit Free Image Hosting 2.0 (25.03.2007)
 documentSharingan, Net Side Content Management System (25.03.2007)
 documentparad0x_(at)_bsdmail.com, aspWebCalendar Remote SQL Injection Vulnerability (25.03.2007)
 documentKacper, LMS <= 1.8.9 Vala Remote File Inclusion Vulnerabilities (25.03.2007)
 documentKacper, ttCMS <= v4 (ez_sql.php lib_path) Remote File Inclusion Vulnerability (25.03.2007)
 documentCyberGhost, Active Photo Gallery Remote SQL Injection Vulnerability (25.03.2007)
 documentCyberGhost, Active Link Engine Remote SQL Injection Vulnerability (25.03.2007)
 documentCyberGhost, Active Auction Remote SQL Injection Vulnerability (25.03.2007)
 documentCyberGhost, Active BuyandSell Remote SQL Injection Vulnerability (25.03.2007)
 documentCyberGhost, Active Trade Remote SQL Injection Vulnerability (25.03.2007)
 documentCold Zero, MAMBO Modules SWmenu 4.0 (ImageManager.php) Remote File Include Vulnerabilities (25.03.2007)
 documentCold Zero, Joomla com_joomlaboard 1.1.x Branch (sbp) Multiple Remote File Include Vulnerabilities (25.03.2007)
 documentCold Zero, Digital Eye Gallery 1.1 Beta (module.php menu) Remote File Include Vulnerabilities (25.03.2007)
 documentCold Zero, php-revista <= 1.1.2 Remote SQL Injection Exploit (25.03.2007)
 documentCold Zero, MAMBO & Joomla NFN Address Book v0.4 (nfnaddressbook.php) Remote File Include Vulnerabilities (25.03.2007)
 documentCold Zero, htmltonuke 2.0alpha for postnuke & PHP-Nuke(htmltonuke.php) Remote File Include Vulnerabilities (25.03.2007)
 documentGolD_M, ClassWeb <= 2.03 Remote File Include Vulnerabilities (25.03.2007)
 documentGolD_M, Philex 0.2.3 <= Remote File(Disclosure/Include)Vulnerabilities (25.03.2007)
 documentparad0x_(at)_bsdmail.com, NetVios Portal (page.asp) Remote SQL Injection Vulnerability (25.03.2007)
 documentXORON, PHPBB Minerva Mod <= 2.0.21 build 238a (forum.php) Remote SQL Injection Exploit (25.03.2007)
 documentCold z3ro, iFRAME for PhpNuke (iframe.php) Remote File Include Vulnerabilities (25.03.2007)
 documentxSh_(at)_overclock.ch, MOODLE <= 1.5.2 user password read out (25.03.2007)
 documentRaeD Hasadya, Remote File Include In phpBB-2.0.19 (25.03.2007)
 documentngevedBangetAsli_(at)_mbuhyesah.org, File Upload System V1.0 (AD_BODY_TEMP) multiple file include (25.03.2007)
Файлы:ScriptMagix Recipes <= 2.0 (index.php catid) Remote Blind SQL Injection Exploit
 ScriptMagix Photo Rating <= 2.0 (viewcomments.php) Remote Blind SQL Injection Exploit
 ScriptMagix Lyrics <= 2.0 (index.php recid) Remote Blind SQL Injection Exploit
 Katalog Plyt Audio (pl) <= 1.0 Remote SQL Injection Exploit
 Exploits MetaForum <= 0.513 Beta - Remote file upload Vulnerability
 Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit
 pragmaMX Landkartenmodule 2.1 Local File Inclusion Exploit
 GeBlog 0.1(GLOBALS[tplname])Local File Inclusion Exploit
 Mambo 4.5.1 Modules Flatmenu <= 1.07 Remote File Include Exploit
 Exploits Monster Top List <= 1.4.2 remote Command Execution Vulnerabilities
 Portail PHP v20 (index.php) Remote SQL Injection Exploit
 RoseOnlineCMS v3 B1(op)Local File Inclusion Exploit
 Joomla Component Car Manager <= 1.1 Blind SQL Injection Exploit
 Joomla Component RWCards <= 2.4.3 Remote Blind SQL Injection Exploit
 Active Newsletter <= V.4.3 (ViewNewspapers.asp) Remote SQL Injection Exploit
 eWebquiz <= V.8 (eWebQuiz.asp) Remote SQL Injection Exploit
 PBlang 4.66z Create Admin Exploit
 Active PHP Bookmark Notes 0.2.5 <= Remote File Inclusion Exploit
 Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day
 Guestbara <= 1.2 Change admin login password exploit
 ScriptMagix FAQ Builder <= 2.0 (index.php) Remote Blind SQL Injection Exploit
 ScriptMagix Jokes <= 2.0 (index.php catid) Remote Blind SQL Injection Exploit

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород