Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:		25.12.2006
Source:
SecurityVulns ID:		6969
Type:		remote
Level:		5/10
Description:		PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected:		HLSTATS : HLStats 1.34
		EFKAN : Efkan Forum 1.0
		JINZORA : Jinzora 2.7
		IROKEZ : Irokez CMS 0.7
		ENDONESIA : eNdonesia 8.4
		CIBERIA : ciberia 1.0
		SHADOWEDPORTAL : Shadowed Portal 5.7
		FILEUPLOADMAN : File Upload Manager 1.0
		MXMANIA : Newsletter MX 1.0
		ANANDA : Ananda Real Estate 3.4
		ENTHRALLWEB : Enthrallweb ePhotos 1.0
		ENTHRALLWEB : Enthrallweb eHomes 1.0
		ENTHRALLWEB : Enthrallweb eCars 1.0
		ENTHRALLWEB : Enthrallweb eMates 1.0
		ENTHRALLWEB : Enthrallweb ePages 1.0
		ENTHRALLWEB : Enthrallweb eClassifieds 1.0
		ENTHRALLWEB : Enthrallweb eCoupons 1.0
		ENTHRALLWEB : Enthrallweb eNews 1.0
		ENTHRALLWEB : Dragon Business Directory 3.01
		MXMANIA : Calendar MX BASIC 1.0
		OKULMERKEZIPORTA : Okul Merkezi Portal 1.0
		PAGETOOL : Pagetool CMS 1.07
		B2 : B2 blog 0.5
		SHNEWS : SH-News 0.93
		OPENTAPS : opentaps 0.9
		ABLOG : a-blog 1.52
CVE:		CVE-2007-0840 (Cross-site scripting (XSS) vulnerability in HLstats before 1.35 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the search class. NOTE: it is possible that this issue overlaps CVE-2006-4543.3 or CVE-2006-4454.)
		CVE-2006-4454 (Cross-site scripting (XSS) vulnerability in hlstats.php in HLstats 1.34 allows remote attackers to inject arbitrary web script or HTML via the q parameter.)

Original document		SECUNIA, [SA23444] a-blog Cross-Site Scripting Vulnerability (25.12.2006)
		SECUNIA, [SA23457] opentaps "SEARCH_STRING" Cross-Site Scripting Vulnerability (25.12.2006)
		ShaFuq31_(at)_HoTMaiL.CoM, b2 - 0.5 * [index] Remote File Include Vulnerability (25.12.2006)
		ShaFuq31_(at)_HoTMaiL.CoM, Okul Merkezi Portal v1.0 Remote File IncLude Vuln. (25.12.2006)
		ajannhwt_(at)_hotmail.com, Title : Calendar MX BASIC <= 1.0.2 (ID) Remote SQL Injection Vulnerability (25.12.2006)
		ajannhwt_(at)_hotmail.com, Title : Dragon Business Directory <= V3.01.12 (ID) Remote SQL Injection Vulnerability (25.12.2006)
		ajannhwt_(at)_hotmail.com, Enthrallweb eCars 1.0 (types.asp) Remote SQL Injection Vulnerability (25.12.2006)
		ajannhwt_(at)_hotmail.com, Title : Enthrallweb eHomes 1.0 Multiple (SQL/XSS) Vulnerabilities (25.12.2006)
		ajannhwt_(at)_hotmail.com, Enthrallweb ePhotos 1.0 (subLevel2.asp) Remote SQL Injection Vulnerability (25.12.2006)
		ajannhwt_(at)_hotmail.com, Ananda Real Estate <= 3.4 (agent) Remote SQL Injection Vulnerability (25.12.2006)
		cw.cybersecurity_(at)_gmail.com, myPHPNuke Gallery Module (basepath) Remote File Include (25.12.2006)
		cw.cybersecurity_(at)_gmail.com, Shadowed Portal 5.7. Roster Module (mod_root) Remote File Include (25.12.2006)
		z1ckX(ru), bugs for Endonesia8.4 (25.12.2006)
		nuffsaid, Irokez CMS <= 0.7.1 Multiple Remote File Include Vulnerabilities (25.12.2006)
		nuffsaid, Jinzora <= 2.7 (include_path) Multiple Remote File Include Vulnerabilities (25.12.2006)
		CorryL, [Full-disclosure] TimberWolf 1.2.2 vulnerable to XSS (25.12.2006)
		xx_hack_xx_2004_(at)_hotmail.com, Multiple Bugs in Future Internet ( XSS & SQL Injection ) (25.12.2006)
		ShaFuq31_(at)_HoTMaiL.CoM, Efkan Forum v1.0 SqL Inj. Vuln. (25.12.2006)

Files:		Newsletter MX <= 1.0.2 (ID) Remote SQL Injection Exploit
		File Upload Manager <= 1.0.6 (detail.asp) Remote SQL Injection Exploit
		Enthrallweb eNews 1.0 Remote User Pass Change Exploit
		Enthrallweb eCoupons 1.0(myprofile.asp) Remote Pass Change Exploit
		Enthrallweb eClassifieds 1.0 Remote User Pass Change Exploit
		Enthrallweb ePages (actualpic.asp) Remote SQL Injection Exploit
		Enthrallweb emates 1.0 (newsdetail.asp) Remote SQL Injection Exploit
		Enthrallweb eJobs (newsdetail.asp) Remote SQL Injection Exploit
		Exploits Pagetool CMS <=1.07 (RFI)
		SH-News 0.93 (misc.php) Remote File Include Exploit
		Exploits HLStats HLStats <=1.34 and Hlstats >= 1.20 SQL Inection + Path Disclosure
		MTCMS <= 2.0 (admin/admin_settings.php) Remote File Include Exploit
		ciberia 1.0<(Ciberia Content Federator)>(maquetacion_socio.php) Remote File Inclusion Exploit
Discuss:		Read or add your comments to this news (0 comments)