Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:1 апреля 2007 г.
Источник:
SecurityVulns ID:7519
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:JOOMLA : D4JeZine 2.8 module for Jumla
 XOOPS : Lykos Reviews 1.00 module for Xoops
 XOOPS : MyAds 2.03 module for Xoops
 XOOPS : Articles 1.02 module for Xoops
 XOOPS : Friendfinder 3.3 module for Xoops
CVE:CVE-2007-1975 (Multiple PHP remote file inclusion vulnerabilities in SLAED CMS 2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) path parameter to admin/admin.php or the (2) modpath parameter to index.php.)
 CVE-2007-1855 (Multiple PHP remote file inclusion vulnerabilities in smarty/smarty_class.php in Shop-Script FREE allow remote attackers to execute arbitrary PHP code via a URL in the (1) _smarty_compile_path, (2) smarty_compile_path, (3) get_plugin_filepath, (4) smarty_dir, and (5) filename parameters. NOTE: this issue might be related to CVE-2006-7105.)
 CVE-2007-1847 (SQL injection vulnerability in viewcat.php in the Repository module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.)
 CVE-2007-1846 (SQL injection vulnerability in index.php in the MyAds 2.04jp and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, different vectors than CVE-2006-3341.)
 CVE-2007-1845 (SQL injection vulnerability in show_event.php in the Expanded Calendar (calendar_panel) 2.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the m_month parameter.)
 CVE-2007-1844 (Multiple PHP remote file inclusion vulnerabilities in Aardvark Topsites PHP 5 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) button/settings_sql.php, (2) settings_sql.php, and (3) sources/misc/new_day.php.)
 CVE-2007-1838 (SQL injection vulnerability in view.php in the Friendfinder 3.3 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.)
 CVE-2007-1817 (SQL injection vulnerability in index.php in the Lykos Reviews (lykos_reviews) 1.00 module for Xoops allows remote attackers to execute arbitrary SQL commands via the uid parameter in a u action.)
 CVE-2007-1816 (SQL injection vulnerability in viewcat.php in the Tutoriais module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.)
 CVE-2007-1815 (SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.)
 CVE-2007-1814 (SQL injection vulnerability in viewcat.php in the Core module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-0377.)
 CVE-2007-1776 (SQL injection vulnerability in index.php in the DesignForJoomla.com D4J eZine (com_ezine) 2.8 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in a read action.)
Оригинальный текстdocumentRaeD Hasadya, Remot File Include In Aardvark Topsites PHP 5 (01.04.2007)
 documentRaeD Hasadya, Remot File Include In Shop-SCRIPT FREE (01.04.2007)
 documentRaeD Hasadya, Remot File Include In SLAED_CMS_2 (01.04.2007)
Файлы:PHP-Fusion 'Calendar_Panel' Module (m_month) SQL Injection Exploit
 Joomla Component D4JeZine <= 2.8 Remote BLIND SQL Injection Exploit
 Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC
 XOOPS Module Lykos Reviews 1.00 (index.php) BLIND SQL Injection Exploit
 XOOPS Module Library (viewcat.php) BLIND SQL Injection Exploit
 XOOPS Module Core (viewcat.php) Remote BLIND SQL Injection Exploit
 XOOPS Module Tutoriais (viewcat.php) Remote BLIND SQL Injection Exploit
 XOOPS Module Repository (viewcat.php) BLIND SQL Injection Exploit
 Xoops Module MyAds Bug Fix <= v2.04jp (index.php cid) BLIND SQL Injection Exploit
 Xoops module Articles <= 1.02 (index.php cat_id) SQL Injection Exploit
 Xoops Module Friendfinder <= 3.3 (view.php id) BLIND SQL Injection Exploit

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород