 |
|
|
|
| Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl) | | Опубликовано: |  | 21 декабря 2009 г. | | Источник: |  | | | SecurityVulns ID: |  | 10485 | | Тип: |  | удаленная | | Опасность: |  | 5/10 | | Описание: |  | Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
|
| Затронутые продукты: |  | DVBBS : Dvbbs 7.1 | | | | SIMPLEPHPBLOG : Simple PHP Blog 0.5 | | | | PHPCALENDAR : PHP-Calendar 1.1 | | | | GANETI : Ganeti 1.2 | | | | GANETI : Ganeti 2.0 | | | | GANETI : Ganeti 2.1 | | | | SIMPLEMACHINES : Simple Machine Forum 1.1 | | | | PHPPOLLSCRIPT : phpPollScript 1.3 | | CVE: |  | CVE-2009-4261 (Multiple directory traversal vulnerabilities in the iallocator framework in Ganeti 1.2.4 through 1.2.8, 2.0.0 through 2.0.4, and 2.1.0 before 2.1.0~rc2 allow (1) remote attackers to execute arbitrary programs via a crafted external script name supplied through the HTTP remote API (RAPI) and allow (2) local users to execute arbitrary programs and gain privileges via a crafted external script name supplied through a gnt-* command, related to "path sanitization errors.") | | | | CVE-2009-3702 (Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.) |
|
|
|
|
|
|
|
|
