Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:6 февраля 2007 г.
Источник:
SecurityVulns ID:7188
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:UAPPLICATION : Uphotogallery 1.1
 LESNEWS : Les News 2.2
CVE:CVE-2007-0815 (Cross-site scripting (XSS) vulnerability in images_archive.asp in Uapplication Uphotogallery 1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the s parameter. NOTE: the thumbnails.asp vector is already covered by CVE-2006-3023.)
 CVE-2007-0808 (PHP remote file inclusion vulnerability in Mina Ajans Script allows remote attackers to execute arbitrary PHP code via a URL in the syf parameter to an unspecified PHP script.)
 CVE-2007-0806 (Les News 2.2 allows remote attackers to bypass authentication and gain administrative access via a direct request for adminews/index_fr.php3, and possibly the adminews index documents for other localizations.)
Оригинальный текстdocumentHackers Center Security Group, Uphotogallery Multiple Cross-Site Scripting Vulnerability (06.02.2007)
 documentcanberx_(at)_bsdmail.com, Mina Ajans Script Remote File Inclusion Vuln. (06.02.2007)
 documentsn0oPy.team_(at)_gmail.com, Les News v2.2 [Admin news without password] (06.02.2007)

Утечка информации через ps в OSF/1 (information leak)
Опубликовано:6 февраля 2007 г.
Источник:
SecurityVulns ID:7189
Тип:локальная
Уровень опасности:
4/10
Описание:Существует возможность просмотреть переменные окружения процессов.
Затронутые продукты:HP : OSF/1 5.1
CVE:CVE-2007-0805 (The ps (/usr/ucb/ps) command on HP Tru64 UNIX 5.1 1885 allows local users to obtain sensitive information, including environment variables of arbitrary processes, via the "auxewww" argument, a similar issue to CVE-1999-1587.)
Оригинальный текстdocumentAndrea "bunker" Purificato, [Full-disclosure] PS Information Leak on HP True64 Alpha OSF1 v5.1 1885 (06.02.2007)
Файлы:Exploits "ps" command (also /usr/ucb/ps) on HP OSF1 v5.1 Alpha

Обход защиты от фишинга в Firefox / Opera (protection bypass)
Опубликовано:6 февраля 2007 г.
Источник:
SecurityVulns ID:7190
Тип:удаленная
Уровень опасности:
2/10
Описание:Возможно обойти защиту от фишинга добавив "." к имени хоста или дополнительный "/" после имени.
Затронутые продукты:MOZILLA : Firefox 2.0
 OPERA : Opera 9.10
CVE:CVE-2007-1762 (Mozilla Firefox 2.0.0.1 through 2.0.0.3 does not canonicalize URLs before checking them against the phishing site blacklist, which allows remote attackers to bypass phishing protection via multiple / (slash) characters in the URL.)
 CVE-2007-0802 (Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter.)
 CVE-2006-6971 (Mozilla Firefox 2.0, possibly only when running on Windows, allows remote attackers to bypass the Phishing Protection mechanism by representing an IP address in (1) dotted-hex, (2) dotted-octal, (3) single decimal integer, (4) single hex integer, or (5) single octal integer format, which is not captured by the blacklist filter.)
 CVE-2006-6970 (Opera 9.10 Final allows remote attackers to bypass the Fraud Protection mechanism by adding certain characters to the end of a domain name, as demonstrated by the "." and "/" characters, which is not caught by the blacklist filter.)
Оригинальный текстdocumentKanedaaa Bohater, Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass. (06.02.2007)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород