Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:13 февраля 2012 г.
Источник:
SecurityVulns ID:12182
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:BUGZILLA : Bugzilla 3.5
 BUGZILLA : Bugzilla 3.6
 BUGZILLA : Bugzilla 3.7
 ZENPHOTO : ZenPhoto 1.4
 PHPLDAPADMIN : phpLDAPadmin 1.2
 BUGZILLA : Bugzilla 4.1
 CYBEROAM : Cyberoam Central Console 2.00
 EFRONTLEARNING : eFronts Community++ 3.6
 BATAVI : Batavi 1.1
 APACHE : CXF 2.4
 APACHE : CXF 2.5
 SIMPLEGROUPWARE : SimpleGroupware 0.742
 BUGZILLA : Bugzilla 4.2
 BUGZILLA : Bugzilla 4.0
 MIBEW : mibew messenger 1.6
 POSTFIXADMIN : postfixadmin 2.3
 OSCLASS : OSClass 2.3
 DLCASSIFIEDS : DClassifieds 0.1
 WORDPRESS : WordPress 3.3
 WORDPRESS : Kish Guest Posting Plugin 1.0
 BIGWARE : Bigware shop 2.14
 SOLARWINDS : SolarWinds Storage Manager Server 5.1
 WORDPRESS : AllWebMenus 1.1
CVE:CVE-2012-0995 (Multiple cross-site scripting (XSS) vulnerabilities in ZENphoto 1.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter in an external action to zp-core/admin.php, (2) PATH_INTO to an unspecified URL, as demonstrated using /1/, (3) PATH_INFO to zp-core/admin.php, or (4) album parameter to zp-core/admin-edit.php.)
 CVE-2012-0994 (SQL injection vulnerability in the Manage Albums feature in zp-core/admin-albumsort.php in ZENphoto 1.4.2 allows remote authenticated users to execute arbitrary SQL commands via the sortableList parameter.)
 CVE-2012-0993 (Eval injection vulnerability in zp-core/zp-extensions/viewer_size_image.php in ZENphoto 1.4.2, when the viewer_size_image plugin is enabled, allows remote attackers to execute arbitrary PHP code via the viewer_size_image_saved cookie.)
 CVE-2012-0803
 CVE-2012-0448 (Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address.)
Оригинальный текстdocumentpavel_(at)_6scan.com, AllWebMenus < 1.1.9 WordPress Menu Plugin Arbitrary file upload (13.02.2012)
 documentddivulnalert_(at)_ddifrontline.com, DDIVRT-2011-39 SolarWinds Storage Manager Server SQL Injection Authentication Bypass (13.02.2012)
 documentVulnerability Lab, Bart`s CMS - SQL Injection Vulnerability (13.02.2012)
 documentrwenzel_(at)_dw-itsecurity.de, SQL injection in Bigware shop software (13.02.2012)
 documentn0b0d13s_(at)_gmail.com, Wordpress Kish Guest Posting Plugin 1.0 (uploadify.php) Unrestricted File Upload Vulnerability (13.02.2012)
 documentTrustwave Advisories, TWSL2012-002: Multiple Vulnerabilities in WordPress (13.02.2012)
 documentHigh-Tech Bridge Security Research, CSRF (Cross-Site Request Forgery) in DClassifieds (13.02.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in OSclass (13.02.2012)
 documentFilippo Cavallarin, Mibew messenger multiple XSS (13.02.2012)
 documentFilippo Cavallarin, Multiple vulnerabilities in postfixadmin (13.02.2012)
 documentFilippo Cavallarin, Multiple vulnerabilities in OSClass (13.02.2012)
 documentLpSolit_(at)_gmail.com, Security advisory for Bugzilla 4.2rc2, 4.0.4, 3.6.8 and 3.4.14 (13.02.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in OpenEMR (13.02.2012)
 documentandsarmiento_(at)_gmail.com, XSS phpLDAPadmin: 1.2.0.5 (Debian package) and 1.2.2 (sourceforge) (13.02.2012)
 documentsecurity_(at)_infoserve.de, SimpleGroupware 0.742 Cross-Site-Scripting vulnerability (13.02.2012)
 documentAPACHE, CVE-2012-0803: Apache CXF does not validate UsernameToken policies correctly (13.02.2012)
 documentNetsparker Advisories, SQL Injection Vulnerability in Batavi 1.1.2 (13.02.2012)
 documentVulnerability Lab, eFronts Community++ v3.6.10 - Cross Site Vulnerability (13.02.2012)
 documentVulnerability Lab, Cyberoam Central Console v2.00.2 - File Include Vulnerability (13.02.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in ZENphoto (13.02.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород