Информационная безопасность
[RU] switch to English

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:23 апреля 2012 г.
SecurityVulns ID:12336
Уровень опасности:
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:NETJUKE : Netjuke 1.0
 WORDPRESS : Register Plus Redux 3.7
 TYPO3 : typo3 4.5
 BUGZILLA : Bugzilla 4.2
 WORDPRESS : WordPress 3.3
 KASSEYA : Kaseya 6.2
 LIFERAY : Liferay 6.0
 LIFERAY : Liferay 6.1
 NEWSCOOP : Newscoop 3.5
 OWNCLOUD : ownCloud 3.0
 DOKUWIKI : DokuWiki 20120125
 SICHESEARCH : Siche search 0.5
 APACHE : OFBiz 10.04
 JIVESOFTWARE : Fastpath WebChat 4.0
 WORDPRESS : Organizer 1.2
 WORDPRESS : Register Plus Redux 3.8
 T3 : T3 DB Tools 1.6
 SEDITIO : sfquickban 1.0
 SEDITIO : Seditio 170
 INVISION : Invision Power Board 3.3
 WORDPRESS : All-in-One Event Calendar 1.4
 EPESIBIM : epesiBIM CRM 1.2
 MATTERDADDY : Matterdaddy Market 1.1
 APACHE : Cloudera 1.0
 WORDPRESS : Uploadify Integration 0.9
 IDEVSPOT : idev Game Site CMS 1.0
 OSCMAX : osCmax Shop CMS 2.5
 CSFORUM : CsForum 0.8
 PHPMYBIBLE : phpMyBible 0.5
 HAVALITE : Havalite CMS 1.0
 EXPONENTCMS : ExponentCMS 2.0
CVE:CVE-2012-2270 (Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.)
 CVE-2012-2269 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php.)
 CVE-2012-2112 (Cross-site scripting (XSS) vulnerability in the Exception Handler in TYPO3 4.4.x before 4.4.15, 4.5.x before 4.5.15, 4.6.x before 4.6.8, and 4.7 allows remote attackers to inject arbitrary web script or HTML via exception messages.)
 CVE-2012-1935 (Multiple cross-site scripting (XSS) vulnerabilities in Newscoop 3.5.x before 3.5.5 and 4.x before 4 RC4 allow remote attackers to inject arbitrary web script or HTML via the (1) Back parameter to admin/ad.php, or the (2) token or (3) f_email parameter to admin/password_check_token.php.)
 CVE-2012-1934 (SQL injection vulnerability in admin/country/edit.php in Newscoop before 3.5.5 and 4.x before 4 RC4 allows remote attackers to execute arbitrary SQL commands via the f_country_code parameter.)
 CVE-2012-1933 (Multiple PHP remote file inclusion vulnerabilities in Newscoop 3.5.x before 3.5.5 and 4 before RC4, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[g_campsiteDir] parameter to (1) include/phorum_load.php, (2) conf/install_conf.php, or (3) conf/liveuser_configuration.php.)
 CVE-2012-1835 (Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.)
 CVE-2012-1621 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information.)
 CVE-2012-1574 (The Kerberos/MapReduce security functionality in Apache Hadoop through, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.)
 CVE-2012-0984 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.)
 CVE-2012-0465 (Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header.)
Оригинальный текстdocumentNetsparker Advisories, XSS and Blind SQL Injection Vulnerabilities in ExponentCMS (23.04.2012)
 documentVulnerability Lab, Chengdu Bureau of Commerce - SQL Injection Vulnerability (23.04.2012)
 documentVulnerability Lab, Havalite CMS v1.0.4 - Multiple Web Vulnerabilities (23.04.2012)
 documentVulnerability Lab, IPhone TreasonSMS - HTML Inject & File Include Vulnerability (23.04.2012)
 documentThomas Richards, phpMyBible 0.5.1 Mutiple XSS (23.04.2012)
 documentDEBIAN, [SECURITY] [DSA 2455-1] typo3-src security update (23.04.2012)
 documentVulnerability Lab, idev Game Site CMS v1.0 - Multiple Web Vulnerabilites (23.04.2012)
 documentVulnerability Lab, osCmax Shop CMS v2.5.1 - Multiple Web Vulnerabilities (23.04.2012)
 documentVulnerability Lab, CsForum v0.8 - Cross Site Scripting Vulnerability (23.04.2012)
 documentMichal Blaszczak, CitrusDB 2.4.1 - LFI/SQLi Vulnerability (23.04.2012)
 documentJanek Vind, [waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin (23.04.2012)
 documentJanek Vind, [waraxe-2012-SA#084] - Multiple Vulnerabilities in OpenCart (23.04.2012)
 documentAaron T. Myers, [CVE-2012-1574] Apache Hadoop user impersonation vulnerability (23.04.2012)
 documentCrAzY_CrAcKeR_(at)_phx1-ss-2-lb.cnet.com, PHPNuke Module's Name Download SQL Injection Vulnerabilities (23.04.2012)
 documentVulnerability Lab, Matterdaddy Market v1.1 - SQL Injection Vulnerabilities (23.04.2012)
 documentVulnerability Lab, GroupWare epesiBIM CRM 1.2.1 - Multiple Web Vulnerabilities (23.04.2012)
 documentHigh-Tech Bridge Security Research, Multiple XSS vulnerabilities in All-in-One Event Calendar Plugin for WordPress (23.04.2012)
 documentCrAzY_CrAcKeR_(at)_phx1-ss-2-lb.cnet.com, online newspaper university"newsdesc.php" SQL Injection Vulnerabilities (23.04.2012)
 documentJanek Vind, [waraxe-2012-SA#086] - Local File Inclusion in Invision Power Board 3.3.0 (23.04.2012)
 documentchin4b0y, t3_dbtools_seditio_plugin_CSRF (23.04.2012)
 documentchin4b0y, seditio_PmOS_plugin_XSS_vuln (23.04.2012)
 documentchin4b0y, sfquickban_plugin_CSRF (23.04.2012)
 documentchin4b0y, seditio-build170.20120302_sql_injection_CSRF_info_disclosure_XSS.txt (23.04.2012)
 documentMustLive, New XSS vulnerabilities in Register Plus Redux for WordPress (23.04.2012)
 documentMustLive, DoS vulnerability in WordPress (23.04.2012)
 documentMustLive, XSS and FPD vulnerabilities in Organizer for WordPress (23.04.2012)
 documentVulnerability Lab, DHTMLX Suite v.3.0 - Multiple Web Vulnerabilities (23.04.2012)
 documentVulnerability Lab, Netjuke 1.0 RC1 - SQL Injection Vulnerabilities (23.04.2012)
 documentVulnerability Lab, ACC PHP eMail v1.1 - Multiple Web Vulnerabilites (23.04.2012)
 documentYGN Ethical Hacker Group, FastPath Webchat | Multiple Cross Site Scripting Vulnerabilities (23.04.2012)
 documentAPACHE, [CVE-2012-1622] Apache OFBiz information disclosure vulnerability (23.04.2012)
 documentAPACHE, [CVE-2012-1621] Apache OFBiz information disclosure vulnerability (23.04.2012)
 documentVulnerability Lab, Siche Search v.0.5 Zerboard - Multiple Web Vulnerabilities (23.04.2012)
 documentCrAzY_CrAcKeR_(at)_phx1-ss-2-lb.cnet.com, Total Quality Machines (productdetail.php) SQL Injection Vulnerabilities (23.04.2012)
 documentYGN Ethical Hacker Group, Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities (23.04.2012)
 documentYGN Ethical Hacker Group, Acuity CMS 2.6.x <= Cross Site Scripting (23.04.2012)
 documentirancrash_(at)_gmail.com, DokuWiki Ver.2012/01/25 CSRF Add User Exploit (23.04.2012)
 documentTobias Glemser, TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0 (23.04.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Newscoop (23.04.2012)
 documentHigh-Tech Bridge Security Research, Multiple XSS vulnerabilities in XOOPS (23.04.2012)
 documentLpSolit_(at)_gmail.com, Security advisory for Bugzilla 4.2.1, 4.0.6 and 3.6.9 (23.04.2012)
 documentJelmer Kuperus, Specially crafted Json service request allows full control over a Liferay portal instance (23.04.2012)
 documentJelmer Kuperus, Liferay 6.1 can be compromised in its default configuration (23.04.2012)
 documentJelmer Kuperus, Specially crafted webdav request allows reading of local files on liferay 6.0.x (23.04.2012)
 documentbede_(at)_foofus.net, XSS in Kaseya version web interface (23.04.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород