Computer Security

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:12.11.2007
Source:
SecurityVulns ID:8329
Type:remote
Level:5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. PHP-Nuke: CAPTCHA protection bypass.
Affected:EGGBLOG : EggBlog 3.1
 PHPMYADMIN : phpMyAdmin 2.11
 PHPNUKE : PHP-Nuke 8.1
 LISCRIPTS : LI-Guestbook 1.2
 PEOPLEAGGREGATOR : PeopleAggregator 1.2
CVE:CVE-2007-5631 (Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmodule_path parameter to (1) AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) MembersFacewallModule/MembersFacewallModule.php, (4) NewestGroupsModule/NewestGroupsModule.php, (5) UploadMediaModule/UploadMediaModule.php, and (6) VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and (7) the path_prefix parameter to several components.)
 CVE-2007-5589 (Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.)
 CVE-2007-5386 (Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.)
 CVE-2007-3694
Original documentdocumentphil_(at)_broadbandmechanics.com, PeopleAggregatory security advisory - re CVE-2007-5631 (12.11.2007)
 documentGuns_(at)_0x90.com.ar, PHP-Nuke Module Advertising Blind SQL Injection (12.11.2007)
 documentmesut_(at)_h-labs.org, Eggblog v3.1.0 XSS Vulnerability (12.11.2007)
 documentAdvisory_(at)_Aria-Security.net, Aria-Security.Net Research: Rapid Classified HotList Image (12.11.2007)
 documentHanno Bock, [Full-disclosure] CVE-2007-3694: Cross site scripting (XSS) in broadcast machine (12.11.2007)
 documentdrakomo_(at)_gmail.com, SQL injection bug found in TBSource. (12.11.2007)
 documentroot_(at)_hanicker.it, xoops mylinks module - sql injection (12.11.2007)
 documentabc.seo_(at)_gmail.com, li-guestbook sql inj (12.11.2007)
 documentDEBIAN, [SECURITY] [DSA 1403-1] New phpmyadmin packages fix cross-site scripting (12.11.2007)
 documentAdvisory_(at)_Aria-Security.net, Aria-Security.Net Research: Lotfian BROCHURE Management System (12.11.2007)
 documentMustLive, Vulnerability in PHP-Nuke captcha (12.11.2007)
Files:Exploits PHP-Nuke Module Advertising Blind SQL Injection
Discuss:Read or add your comments to this news (0 comments)
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
 


Рейтинг@Mail.ru