Computer Security
[EN] no-pyccku

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
SecurityVulns ID:7310
Threat Level:
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:WORDPRESS : WordPress 2.1
 ADMINPHORUM : Admin Phorum 3.3
 WICLEAR : Wiclear 0.11
CVE:CVE-2007-1244 (Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter.)
 CVE-2007-1230 (Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049.)
 CVE-2007-1219 (PHP remote file inclusion vulnerability in actions/del.php in Admin Phorum 3.3.1a allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter.)
 CVE-2007-1097 (Unrestricted file upload vulnerability in the onAttachFiles function in the upload tool (inc/lib/attachment.lib.php) in Wiclear before 0.11.1 allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors related to filename validation. NOTE: some details were obtained from third party information.)
Original documentdocumentGolD_M, Admin Phorum 3.3.1.a (del.php include_path)File Include Vulnerability (28.02.2007)
 documentSaMuschie, [email protected] (28.02.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod