Computer Security
[EN] no-pyccku

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
SecurityVulns ID:8329
Threat Level:
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. PHP-Nuke: CAPTCHA protection bypass.
Affected:EGGBLOG : EggBlog 3.1
 PHPMYADMIN : phpMyAdmin 2.11
 PHPNUK : PHP-Nuke 8.1
 LISCRIPTS : LI-Guestbook 1.2
 PEOPLEAGGREGATOR : PeopleAggregator 1.2
CVE:CVE-2007-5631 (Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components.)
 CVE-2007-5589 (Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/ NOTE: there might also be other vectors related to (3) REQUEST_URI.)
 CVE-2007-5386 (Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.)
Original documentdocumentphil_(at), PeopleAggregatory security advisory - re CVE-2007-5631 (12.11.2007)
 documentGuns_(at), PHP-Nuke Module Advertising Blind SQL Injection (12.11.2007)
 documentmesut_(at), Eggblog v3.1.0 XSS Vulnerability (12.11.2007)
 documentAdvisory_(at), Aria-Security.Net Research: Rapid Classified HotList Image (12.11.2007)
 documentHanno Bock, [Full-disclosure] CVE-2007-3694: Cross site scripting (XSS) in broadcast machine (12.11.2007)
 documentdrakomo_(at), SQL injection bug found in TBSource. (12.11.2007)
 documentroot_(at), xoops mylinks module - sql injection (12.11.2007)
 documentabc.seo_(at), li-guestbook sql inj (12.11.2007)
 documentDEBIAN, [SECURITY] [DSA 1403-1] New phpmyadmin packages fix cross-site scripting (12.11.2007)
 documentAdvisory_(at), Aria-Security.Net Research: Lotfian BROCHURE Management System (12.11.2007)
 documentMustLive, Vulnerability in PHP-Nuke captcha (12.11.2007)
Files:Exploits PHP-Nuke Module Advertising Blind SQL Injection

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod