Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[EN] securityvulns.ru
no-pyccku

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published: 29.05.2007
Source:
SecurityVulns ID: 7755
Type: remote
Level: 5/10
Description: PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected: EGGBLOG : EggBlog 3.1
DGNEWS : DGNews 2.1
MYWEBLAND : MyEvent 1.6
CVE: CVE-2007-0694 (Cross-site scripting (XSS) vulnerability in footer.php in DGNews 2.1 allows remote attackers to inject arbitrary web script or HTML via the copyright parameter.)
CVE-2007-0693 (SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newslist action. NOTE: this issue can produce resultant cross-site scripting (XSS).)
CVE-2007-0692 (DGNews 2.1 allows remote attackers to obtain sensitive information via a fullnews request to news.php with an invalid newsid parameter, and other unspecified vectors, which reveal the path in various error messages.)
CVE-2007-0690 (myEvent 1.6 allows remote attackers to obtain sensitive information via (1) a Log In action without a password to login.php, or an invalid (2) view[] or (3) monthno[] parameter to myevent.php, which reveals the path in various error messages.)

Original document Aesthetico, [MajorSecurity Advisory #48]eggblog - Session fixation Issue (29.05.2007)

laurent.gaffie_(at)_gmail.com, Re: DGNews version 2.1 SQL Injection Vulnerability (29.05.2007)

Michal Majchrowicz, [Full-disclosure] Uebimiau Webmail Multiple Vulnerabilities (29.05.2007)

document securityresearch_(at)_netvigilance.com, DGNews version 2.1 Path Disclosure Vulnerability (29.05.2007)

securityresearch_(at)_netvigilance.com, DGNews version 2.1 SQL Injection Vulnerability (29.05.2007)

securityresearch_(at)_netvigilance.com, myEvent version 1.6 Multiple Path Disclosure Vulnerabilities (29.05.2007)

document securityresearch_(at)_netvigilance.com, DGNews version 2.1 XSS Attack Vulnerability (29.05.2007)

Discuss: Read or add your comments to this news (0 comments)