Forum - Computer security: vulnerabilities and exploits database

[EN] securityvulns.ru
no-pyccku

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published: 13.02.2007
Source:
SecurityVulns ID: 7217
Type: remote
Level: 5/10
Description: PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected: JPORTAL : Jportal 2.3
JOOMLA : Joomla! 1.0
DOTCLEAR : Dotclear 1.2
CPANEL : cPanel 11
CVE: CVE-2007-0925 (Cross-site scripting (XSS) vulnerability in search/SearchResults.aspx in Community Server allows remote attackers to inject arbitrary web script or HTML via the q parameter.)
CVE-2007-0923 (buscador/buscador.htm in Portal Search allows remote attackers to obtain sensitive information (business logic) via a query string composed of a search for certain characters.)
CVE-2007-0922 (Cross-site scripting (XSS) vulnerability in buscador/buscador.htm in Portal Search allows remote attackers to inject arbitrary web script or HTML via the query string.)
CVE-2007-0921 (Portal Search allows remote attackers to redirect a URL to an arbitrary web site by placing the URL in the query string to the top-level URI.)
CVE-2007-0912 (Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php in Jportal 2.3.1, and possibly earlier, allows remote attackers to perform privileged actions as administrators by tricking the admin into accessing a URL with modified arguments to admin/admin.adm.php.)
CVE-2007-0890 (Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter.)
CVE-2006-7010 (The mosgetparam implementation in Joomla! before 1.0.10, does not set a variable's data type to integer when the variable's default value is numeric, which has unspecified impact and attack vectors, which may permit SQL injection attacks.)
CVE-2006-7009 (Joomla! before 1.0.10 allows remote attackers to spoof the frontend submission forms, which has unknown impact and attack vectors.)
CVE-2006-7008 (Unspecified vulnerability in Joomla! before 1.0.10 has unknown impact and attack vectors, related to "securing mosmsg from misuse." NOTE: it is possible that this issue overlaps CVE-2006-1029.)

Original document crazy_king_(at)_eno7.org, Inertia News Remote File İnclude (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in eWay (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in lighttpd (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in communityserver ! (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in JBoss Portal (13.02.2007)

document me you, Virtual Calendar <= (pwd.txt) Remote Password Disclosur Vulnerability (13.02.2007)

claxus_(at)_gmail.com, Radical Technologies - Portal Search- multiple XSS issue (13.02.2007)

dzitu_(at)_poczta.fm, Jportal 2.3.1 CSRF vulnerability (13.02.2007)

raphael.huck_(at)_free.fr, DotClear Full Path Disclosure Vulnerability (13.02.2007)

Discuss: Read or add your comments to this news (0 comments)

Show		Threads
		Messages


Login:*		(Register)
Password:*
(private)	To:
(reply)	Subject:*
Text:

Main Forum (Eng) General security questions not appropriate for another forums.	3proxy Forum (Eng) All 3proxy question must be posted to this forum.	Bugs, Vulnerabilities, PoCs and Exploits (Eng) All vulnerability related questions, vulnerability digging and exploit creation.	Windows programming and administration (Eng) Administering Windows and application development.	Unix programming and administation (Eng) Administering Unix and application development.	Test forum Please post all test messages here. All test messages from different forums will be deteted.
Main Forum (Rus)	3proxy Forum (Rus)	Bugs, Vulnerabilities, PoCs and Exploits (Rus)	Windows programming and administration (Rus)	Unix programming and administation (Rus)