Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:6 апреля 2011 г.
Источник:
SecurityVulns ID:11568
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:REDMINE : redmine 1.0
 REDMINE : Redmine 1.1
Оригинальный текстdocumentNetsparker Advisories, XSS Vulnerability in Redmine 1.0.1 to 1.1.1 (06.04.2011)
 documentmd.r00t.defacer_(at)_gmail.com, StartSite.ir Cross-site Scripting Vulnerability (06.04.2011)

Повреждение памяти в rsync
дополнено с 6 апреля 2011 г.
Опубликовано:27 апреля 2011 г.
Источник:
SecurityVulns ID:11565
Тип:клиент
Уровень опасности:
5/10
Описание:Повреждение памяти при разборе ответа сервера.
Затронутые продукты:RSYNC : rsync 3.0
CVE:CVE-2011-1097 (rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2011:066 ] rsync (06.04.2011)

Многочисленные уязвимости безопасности в logrotate
дополнено с 6 апреля 2011 г.
Опубликовано:26 июля 2011 г.
Источник:
SecurityVulns ID:11566
Тип:локальная
Уровень опасности:
5/10
Описание:Кратковременные условия, проблема шел-символов, DoS.
Затронутые продукты:LOGROTATE : logrotate 3.7
CVE:CVE-2011-1548 (The default configuration of logrotate on Debian GNU/Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by /var/log/postgresql/.)
 CVE-2011-1155 (The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) \n (newline) or (2) \ (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.)
 CVE-2011-1154 (The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.)
 CVE-2011-1098 (Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place.)
Оригинальный текстdocumentUBUNTU, [USN-1172-1] logrotate vulnerabilities (26.07.2011)
 documentMANDRIVA, [ MDVSA-2011:065 ] logrotate (06.04.2011)

Утечка информации в HP Network Node Manager i
дополнено с 6 апреля 2011 г.
Опубликовано:31 октября 2011 г.
Источник:
SecurityVulns ID:11567
Тип:удаленная
Уровень опасности:
5/10
Затронутые продукты:HP : Network Node Manager i 9.0
CVE:CVE-2011-1534 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x allows remote authenticated users to obtain access to processes via unknown vectors.)
 CVE-2011-0898 (Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.00 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2011-0897 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.00 allows local users to read arbitrary files via unknown vectors.)
 CVE-2011-0895 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x and 8.1x allows remote authenticated users to obtain sensitive information via unknown vectors.)
 CVE-2010-4476 (The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.)
 CVE-2010-0738 (The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.)
Оригинальный текстdocumentHP, [security bulletin] HPSBMU02714 SSRT100244 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information (31.10.2011)
 documentHP, [security bulletin] HPSBMA02659 SSRT100440 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access (19.04.2011)
 documentHP, [security bulletin] HPSBMA02643 SSRT100416 rev.2 - HP Network Node Manager i (NNMi), Local Unauthorized Read Access to Files, Remote Cross Site Scripting (XSS) (14.04.2011)
 documentHP, [security bulletin] HPSBUX02642 SSRT100415 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows running Java, Remote Denial of Service (DoS) (14.04.2011)
 documentHP, [security bulletin] HPSBMA02652 SSRT100432 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Information Disclosure (06.04.2011)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород