|
Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 13.07.2007 | | Published: |  | 13.07.2007 | | Source: |  | | | SecurityVulns ID: |  | 7929 | | Type: |  | remote | | Level: |  | 5/10 | | Description: |  | PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. |
| Affected: |  | OSCOMMERCE : osCommerce 2.2 | | | | GOOGLE : Google Custom Search Engine | | | | ALTAVISTA : AltaVista local engine | | | | ACTIVEWEB : activeWeb contentserver 5.6 | | | | SITESCAPE : SiteScape 7.2 | | | | YANDEX : Yandex.Server | | CVE: |  | CVE-2007-3484 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that "Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website.") | | | | CVE-2007-3018 (activeWeb contentserver CMS before 5.6.2964 does not limit the file-creation ability of editors who have restricted accounts, which allows these editors to create files in arbitrary directories.) | | | | CVE-2007-3017 (The WYSIWYG editor applet in activeWeb contentserver CMS before 5.6.2964 only filters malicious tags from articles sent to admin/applets/wysiwyg/rendereditor.asp, which allows remote authenticated users to inject arbitrary JavaScript via a request to admin/worklist/worklist_edit.asp.) | | | | CVE-2007-3014 (Multiple cross-site scripting (XSS) vulnerabilities in activeWeb contentserver before 5.6.2964 allow remote attackers to inject arbitrary web script or HTML via the msg parameter to (1) errors/rights.asp or (2) errors/transaction.asp, or (3) the name of a MIME type (mimetype).) | | | | CVE-2007-3013 (SQL injection vulnerability in activeWeb contentserver before 5.6.2964 allows remote authenticated users with edit permission to execute arbitrary SQL commands via the id parameter to admin/picture/picture_real_edit.asp, and probably other unspecified vectors.) |
| Original document |  | MustLive, MOSEB-07 Bonus: Vulnerabilities in Yandex.Server (15.07.2007) |
| | | MustLive, Vulnerabilities in Yandex.Server (15.07.2007) |
| | | MustLive, Vulnerability in AltaVista local search engine (15.07.2007) |
| | | Marc Ruef, [scip_Advisory 3159] SiteScape forum prior 7.3 Cross Site Scripting (13.07.2007) |
| | | Marc Ruef, [Full-disclosure] [scip_Advisory 3159] SiteScape forum prior 7.3 Cross Site Scripting (13.07.2007) |
| | | does_not_exist_(at)_jmp-esp.kicks-ass.net, MkPortal - Multiple SQL Injection Vulnerabilities (13.07.2007) |
| | | RedTeam Pentesting, [Full-disclosure] ActiveWeb Contentserver CMS Multiple Cross Site Scriptings (13.07.2007) |
| | | RedTeam Pentesting, [Full-disclosure] ActiveWeb Contentserver CMS Editor Permission Settings Problem (13.07.2007) |
| | | RedTeam Pentesting, [Full-disclosure] ActiveWeb Contentserver CMS SQL Injection Management Interface (13.07.2007) |
| | | RedTeam Pentesting, [Full-disclosure] ActiveWeb Contentserver CMS Clientside Filtering of Page Editor Content (13.07.2007) |
| | | Debasis Mohanty, Re: [Full-disclosure] ActiveWeb Contentserver CMS Multiple Cross Site Scriptings (13.07.2007) |
| | | matrix_killer ma3x, osCommerce Online Merchant v2.2 RC1 local include bug (13.07.2007) |
| | | MustLive, MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine (13.07.2007) |
| | | MustLive, MOSEB-12 Bonus: Vulnerability in AltaVista (13.07.2007) |
| | | MustLive, Vulnerability in Google Custom Search Engine (13.07.2007) |
|
|
|
|
|
