Forum - Computer security: vulnerabilities and exploits database

[EN] securityvulns.ru
no-pyccku

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published: 12.11.2007
Source:
SecurityVulns ID: 8329
Type: remote
Level: 5/10
Description: PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. PHP-Nuke: CAPTCHA protection bypass.

Affected: EGGBLOG : EggBlog 3.1
PHPMYADMIN : phpMyAdmin 2.11
PHPNUKE : PHP-Nuke 8.1
LISCRIPTS : LI-Guestbook 1.2
PEOPLEAGGREGATOR : PeopleAggregator 1.2
CVE: CVE-2007-5631 (Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components.)
CVE-2007-5589 (Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.)
CVE-2007-5386 (Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.)
CVE-2007-3694

Original document phil_(at)_broadbandmechanics.com, PeopleAggregatory security advisory - re CVE-2007-5631 (12.11.2007)

Guns_(at)_0x90.com.ar, PHP-Nuke Module Advertising Blind SQL Injection (12.11.2007)

mesut_(at)_h-labs.org, Eggblog v3.1.0 XSS Vulnerability (12.11.2007)

Advisory_(at)_Aria-Security.net, Aria-Security.Net Research: Rapid Classified HotList Image (12.11.2007)

document Hanno Bock, [Full-disclosure] CVE-2007-3694: Cross site scripting (XSS) in broadcast machine (12.11.2007)

drakomo_(at)_gmail.com, SQL injection bug found in TBSource. (12.11.2007)

root_(at)_hanicker.it, xoops mylinks module - sql injection (12.11.2007)

abc.seo_(at)_gmail.com, li-guestbook sql inj (12.11.2007)

document DEBIAN, [SECURITY] [DSA 1403-1] New phpmyadmin packages fix cross-site scripting (12.11.2007)

Advisory_(at)_Aria-Security.net, Aria-Security.Net Research: Lotfian BROCHURE Management System (12.11.2007)

MustLive, Vulnerability in PHP-Nuke captcha (12.11.2007)

Files: Exploits PHP-Nuke Module Advertising Blind SQL Injection
Discuss: Read or add your comments to this news (0 comments)

Show		Threads
		Messages


Login:*		(Register)
Password:*
(private)	To:
(reply)	Subject:*
Text:

Main Forum (Eng) General security questions not appropriate for another forums.	3proxy Forum (Eng) All 3proxy question must be posted to this forum.	Bugs, Vulnerabilities, PoCs and Exploits (Eng) All vulnerability related questions, vulnerability digging and exploit creation.	Windows programming and administration (Eng) Administering Windows and application development.	Unix programming and administation (Eng) Administering Unix and application development.	Test forum Please post all test messages here. All test messages from different forums will be deteted.
Main Forum (Rus)	3proxy Forum (Rus)	Bugs, Vulnerabilities, PoCs and Exploits (Rus)	Windows programming and administration (Rus)	Unix programming and administation (Rus)