Computer Security

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

back  news / advisories / software / search /  forward
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 17.06.2006
Published:17.06.2006
Source:
SecurityVulns ID:6271
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:MAMBOSERVER : Mambo Server 4.6
 INDEXU : INDEXU 5.0
 BITWEAVER : bitweaver 1.3
 MCGUESTBOOK : mcGuestbook 1.3
 AXENT : aXentForum II
 NUCLEUS : nucleus 3.23
 CALENDARIX : Calendarix 0.7
 DOTWIDGETA : dotwidgeta 2
 CMSFAETHON : CMS Faethon 1.3
CVE:CVE-2006-7017 (Multiple PHP remote file inclusion vulnerabilities in Indexu 5.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the admin_template_path parameter to admin/ scripts (1) app_change_email.php, (2) app_change_pwd.php, (3) app_mod_rewrite.php, (4) app_page_caching.php, (5) app_setup.php, (6) cat_add.php, (7) cat_delete.php, (8) cat_edit.php, (9) cat_path_update.php, (10) cat_search.php, (11) cat_struc.php, (12) cat_view.php, (13) cat_view_hidden.php, (14) cat_view_hierarchy.php, (15) cat_view_registered_only.php, (16) checkurl_web.php, (17) db_alter.php, (18) db_alter_change.php, (19) db_backup.php, (20) db_export.php, (21) db_import.php, (22) editor_add.php, (23) editor_delete.php, (24) editor_validate.php, (25) head.php, (26) index.php, (27) inv_config.php, (28) inv_config_payment.php, (29) inv_create.php, (30) inv_delete.php, (31) inv_edit.php, (32) inv_markpaid.php, (33) inv_markunpaid.php, (34) inv_overdue.php, (35) inv_paid.php, (36) inv_send.php, (37) inv_unpaid.php, (38) lang_modify.p)
 CVE-2006-7011 (** DISPUTED ** PHP remote file inclusion vulnerability in adminips.php in Develooping Flash Chat allows remote attackers to execute arbitrary PHP code via a URL in the banned_file parameter. NOTE: CVE disputes this vulnerability because banned_file is set to a constant value.)
Original documentdocumentnanoymaster_(at)_gmail.com, XSS in GardenWeb (18.06.2006)
 document:) :), Cline Communications Sql injection (18.06.2006)
 documenteufrato_(at)_gmail.com, [ECHO_ADV_33$2006] CMS Faethon 1.3.2 mainpath Remote File Inclusion (18.06.2006)
 documentalp_eren_(at)_ayyildiz.org, Simple PHP Poll Authecnication Admin ByPass (17.06.2006)
 documentSWEET SWEET, file include exploits in dotwidgeta Version 2 (17.06.2006)
 documentroot-hacked_(at)_hotmail.com, PictureDis Products "lang" Parameter File Inclusion Vulnerability (17.06.2006)
 documentgamr-14_(at)_hotmail.com, file include exploits in mcGuestbook 1.3 (17.06.2006)
 documentmins_(at)_wins21.com, Zeroboard File Upload & extension bypass Vulnerability (17.06.2006)
 documentSpC-x, Ji-takz Chat (mycfg) Remote File Inclusion (17.06.2006)
 documentFederico Fazzi, Calendarix 0.7.20060401, SQL Injection Vulnerabilities (17.06.2006)
 documentgamr-14_(at)_hotmail.com, Calendarix 0.7.20060401, SQL Injection Vulnerabilities (17.06.2006)
 documentgamr-14_(at)_hotmail.com, file include exploits in nucleus 3.23 (17.06.2006)
 documentSnoBMSN_(at)_Hotmail.De, aXentForum II XSS vuLLn (17.06.2006)
 documentKARKOR23_(at)_hotmail.com, Indexu v 5.0.01 Multiple Remote File Include Vulnerabilities (17.06.2006)
 documentSpC-x, Develooping Flash Chat (banned_file) Remote File Inclusion (17.06.2006)
 documentCrAzY.CrAcKeR_(at)_hotmail.com, dvdwolf SQL injection/XSS (17.06.2006)
 document:) :), Cline Communications Sql injection (17.06.2006)
Files:bitweaver <= v1.3 'tmpImagePath' attachment mod_mime exploit
 Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials disclosure exploit
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod