Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
дополнено с 28 января 2013 г.
Опубликовано:28 января 2013 г.
Источник:
SecurityVulns ID:12850
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:GANGLIA : ganglia 3.3
 MOVABLETYPE : MovableType 5.1
 WORDPRESS : SolveMedia 1.1
 IMAGECMS : ImageCMS 4.0
 GPEASY : gpEasy 3.5
 COMBODO : iTop 2.0
 COMBODO : iTop 1.2
 DIGILIBE : DigiLIBE 3.4
CVE:CVE-2013-1402 (DigiLIBE 3.4 and possibly other versions sends a redirect but does not exit, which allows remote attackers to obtain sensitive configuration information via a direct request to configuration/general_configuration.html.)
 CVE-2013-1401
 CVE-2013-1400
 CVE-2013-0807 (Cross-site scripting (XSS) vulnerability in the NewSectionPrompt function in include/tool/editing_page.php in gpEasy CMS 3.5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the section parameter in a new_section action to index.php.)
 CVE-2013-0805 (Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party information.)
 CVE-2013-0209 (lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.)
 CVE-2012-6290 (SQL injection vulnerability in ImageCMS before 4.2 allows remote authenticated administrators to execute arbitrary SQL commands via the q parameter to admin/admin_search/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.)
 CVE-2012-3448 (Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.)
Оригинальный текстdocumentHigh-Tech Bridge Security Research, SQL Injection Vulnerability in ImageCMS (28.01.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) vulnerability in gpEasy (28.01.2013)
 documentstephan.rickauer_(at)_csnc.ch, CVE-2013-0805 / CSNC-2013-001 (28.01.2013)
 documenti_(at)_amroot.com, CVE-2013-1402 - DigiLIBE Management Console - Execution After Redirect (EAR) Vulnerability (28.01.2013)
 documentillSecResearchGroup_(at)_gmail.com, WordPress SolveMedia 1.1.0 CSRF Vulnerability (28.01.2013)
 documentVulnerability Lab, Wordpress Valums Uploader - File Upload Vulnerability (28.01.2013)
 documentillSecResearchGroup_(at)_gmail.com, Wordpress Developer Formatter CSRF Vulnerability (28.01.2013)
 documentDEBIAN, [SECURITY] [DSA 2611-1] movabletype-opensource security update (28.01.2013)
 documentDEBIAN, [SECURITY] [DSA 2610-1] ganglia security update (28.01.2013)
 documentmarcelavbx_(at)_gmail.com, Multiple SQL injection vulnerabilities in Cardoza Wordpress poll plugin (27.01.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород