Computer Security
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:29.05.2007
Source:
SecurityVulns ID:7755
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:EGGBLOG : EggBlog 3.1
 DGNEWS : DGNews 2.1
 MYWEBLAND : MyEvent 1.6
CVE:CVE-2007-0694 (Cross-site scripting (XSS) vulnerability in footer.php in DGNews 2.1 allows remote attackers to inject arbitrary web script or HTML via the copyright parameter.)
 CVE-2007-0693 (SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newslist action. NOTE: this issue can produce resultant cross-site scripting (XSS).)
 CVE-2007-0692 (DGNews 2.1 allows remote attackers to obtain sensitive information via a fullnews request to news.php with an invalid newsid parameter, and other unspecified vectors, which reveal the path in various error messages.)
 CVE-2007-0690 (myEvent 1.6 allows remote attackers to obtain sensitive information via (1) a Log In action without a password to login.php, or an invalid (2) view[] or (3) monthno[] parameter to myevent.php, which reveals the path in various error messages.)
Original documentdocumentAesthetico, [MajorSecurity Advisory #48]eggblog - Session fixation Issue (29.05.2007)
 documentlaurent gaffie, Re: DGNews version 2.1 SQL Injection Vulnerability (29.05.2007)
 documentMichal Majchrowicz, [Full-disclosure] Uebimiau Webmail Multiple Vulnerabilities (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, DGNews version 2.1 Path Disclosure Vulnerability (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, DGNews version 2.1 SQL Injection Vulnerability (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, myEvent version 1.6 Multiple Path Disclosure Vulnerabilities (29.05.2007)
 documentsecurityresearch_(at)_netvigilance.com, DGNews version 2.1 XSS Attack Vulnerability (29.05.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod