Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:16 апреля 2007 г.
Источник:
SecurityVulns ID:7582
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:PHPMYCHAT : phpMyChat 0.14
 MAIANSCRIPTWORLD : Maian Weblog 3.1
 flip : Flip-search-add-on 2.0
 MYSPEACH : MySpeach 1.9
 B2EVOLUTION : B2evolution 1.6
 MAIANSCRIPTWORLD : Maian Gallery 1.0
 MAIAN : Maian Search 1.1
 BLOOFOX : bloofoxCMS 0.2
 BACKEND : Back-End CMS Database Tables 0.4
 MPPHP : MobilePublisherphp 1.1
 FLOWERS : FloweRS 2.0
 PIXARIA : Pixaria Gallery 1.0
 SITEBAR : SiteBar 3.3
CVE:CVE-2007-2078 (** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Maian Weblog 3.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, since the path_to_folder variable is initialized before use.)
 CVE-2007-2077 (PHP remote file inclusion vulnerability in search.php in Maian Search 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, but confirmed by the vendor, stating "this issue was fixed last year and [no] is longer a problem.")
 CVE-2007-2076 (PHP remote file inclusion vulnerability in index.php in Maian Gallery 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, but confirmed by the vendor, stating "this problem existed only briefly in v1.0.")
 CVE-2007-2018 (SQL injection vulnerability in msg.php in AlstraSoft Video Share Enterprise allows remote authenticated users to execute arbitrary SQL commands via the id parameter.)
 CVE-2007-2017 (siteadmin/useredit.php in AlstraSoft Video Share Enterprise does not check authentication, which allows remote attackers to obtain or modify user information via a direct request.)
 CVE-2007-2013 (Cross-site scripting (XSS) vulnerability in index.php in JEx-Treme Einfacher Passworschutz allows remote attackers to inject arbitrary web script or HTML via the msg parameter.)
Оригинальный текстdocumentlo-talt-alayam_(at)_hotmail.com, Sitebar 3.3.5 (index.php writerFile)Remote File Include Vulnerabilities (16.04.2007)
 documentirvian, Pixaria Gallery 1.0 (class.Smarty.php) Remote File Include Vulnerability (16.04.2007)
 documentthe_3dit0r_(at)_yahoo.com, Back-End CMS Database Tables v0.4.7 Cross Site Scripting (16.04.2007)
 documentthe_3dit0r_(at)_yahoo.com, bloofoxCMS 0.2.2 Cross Site Scripting (16.04.2007)
 documentthe_3dit0r_(at)_yahoo.com, MobilePublisherphp v1.1.2 Remote File Include Vulnerabilities (16.04.2007)
 documentthe_3dit0r_(at)_yahoo.com, FloweRS v2.0 Cross Site Scripting (16.04.2007)
 documentthe_3dit0r_(at)_yahoo.com, Back-End CMS Database Tables v0.4.7 Remote File Include Vulnerabilities (16.04.2007)
 documentthe_3dit0r_(at)_yahoo.com, bloofoxCMS 0.2.2 Remote File Include Vulnerabilitiy (16.04.2007)
 documentk4rtal_(at)_gmail.com, Maian Weblog v3.1 (16.04.2007)
 documentk4rtal_(at)_gmail.com, Flip-search-add-on 2.0 (16.04.2007)
 documentk4rtal_(at)_gmail.com, MySpeach v1.9 (16.04.2007)
 documentk4rtal_(at)_gmail.com, B2evolution 1.6 RFi (16.04.2007)
 documentk4rtal_(at)_gmail.com, Maian Gallery v1.0 (16.04.2007)
 documentk4rtal_(at)_gmail.com, Maian Search v1.1 (16.04.2007)
 documentk4rtal_(at)_gmail.com, phpMyChat-0.14.5 (16.04.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород