Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[EN] securityvulns.ru
no-pyccku

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published: 13.02.2007
Source:
SecurityVulns ID: 7217
Type: remote
Level: 5/10
Description: PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected: JPORTAL : Jportal 2.3
JOOMLA : Joomla! 1.0
DOTCLEAR : Dotclear 1.2
CPANEL : cPanel 11
CVE: CVE-2007-0925 (Cross-site scripting (XSS) vulnerability in search/SearchResults.aspx in Community Server allows remote attackers to inject arbitrary web script or HTML via the q parameter.)
CVE-2007-0923 (buscador/buscador.htm in Portal Search allows remote attackers to obtain sensitive information (business logic) via a query string composed of a search for certain characters.)
CVE-2007-0922 (Cross-site scripting (XSS) vulnerability in buscador/buscador.htm in Portal Search allows remote attackers to inject arbitrary web script or HTML via the query string.)
CVE-2007-0921 (Portal Search allows remote attackers to redirect a URL to an arbitrary web site by placing the URL in the query string to the top-level URI.)
CVE-2007-0912 (Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php in Jportal 2.3.1, and possibly earlier, allows remote attackers to perform privileged actions as administrators by tricking the admin into accessing a URL with modified arguments to admin/admin.adm.php.)
CVE-2007-0890 (Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter.)
CVE-2006-7010 (The mosgetparam implementation in Joomla! before 1.0.10, does not set a variable's data type to integer when the variable's default value is numeric, which has unspecified impact and attack vectors, which may permit SQL injection attacks.)
CVE-2006-7009 (Joomla! before 1.0.10 allows remote attackers to spoof the frontend submission forms, which has unknown impact and attack vectors.)
CVE-2006-7008 (Unspecified vulnerability in Joomla! before 1.0.10 has unknown impact and attack vectors, related to "securing mosmsg from misuse." NOTE: it is possible that this issue overlaps CVE-2006-1029.)

Original document crazy_king_(at)_eno7.org, Inertia News Remote File İnclude (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in eWay (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in lighttpd (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in communityserver ! (13.02.2007)

bl4ck_(at)_bsdmail.org, XSS in JBoss Portal (13.02.2007)

document me you, Virtual Calendar <= (pwd.txt) Remote Password Disclosur Vulnerability (13.02.2007)

claxus_(at)_gmail.com, Radical Technologies - Portal Search- multiple XSS issue (13.02.2007)

dzitu_(at)_poczta.fm, Jportal 2.3.1 CSRF vulnerability (13.02.2007)

raphael.huck_(at)_free.fr, DotClear Full Path Disclosure Vulnerability (13.02.2007)

Discuss: Read or add your comments to this news (0 comments)