Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[EN] securityvulns.ru
no-pyccku

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 05.03.2007
Published: 05.03.2007
Source:
SecurityVulns ID: 7347
Type: remote
Level: 5/10
Description: PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected: UPLOADSCRIPT : UploadScript 1.02
WORDPRESS : WordPress 2.1
RRDBROWSE : rrdbrowse 1.6
EPORTFOLIO : ePortfolio 1.0
SAVASPLACE : Sava's GuestBook 23.11.2006
LISCRIPTS : LI-Guestbook 1.1
VCARD : vCard 2.6
CVE: CVE-2007-1332 (Multiple cross-site request forgery (CSRF) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to perform unspecified restricted actions in the context of certain accounts by bypassing the client-side protection scheme.)
CVE-2007-1331 (Multiple cross-site scripting (XSS) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to inject arbitrary web script or HTML via unspecified vectors that bypass the client-side protection scheme, one of which may be the q parameter to the search program. NOTE: some of these details are obtained from third party information.)
CVE-2007-1305 (Multiple cross-site scripting (XSS) vulnerabilities in add2.php in Sava's Guestbook 23.11.2006 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) country, (3) email, and (4) website parameters.)
CVE-2007-1304 (Multiple SQL injection vulnerabilities in add2.php in Sava's Guestbook 23.11.2006, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) country, (3) email, (4) website, and (5) message parameters.)
CVE-2007-1303 (Directory traversal vulnerability in rb.cgi in RRDBrowse 1.6 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.)
CVE-2007-1302 (SQL injection vulnerability in guestbook.php in LI-Guestbook 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter.)

Original document ciri_(at)_virtuax.be, Wordpress <= v2.1.0 (05.03.2007)

RaeD Hasadya, XSS Remote In vCard 2.6 (c)2002 (05.03.2007)

Sebastian Wolfgarten, Arbitrary file disclosure vulnerability in rrdbrowse <= 1.6 (05.03.2007)

bugtraq_(at)_belsec.com, LI-Guestbook SQL Injection Vulnerability (05.03.2007)

document bugtraq_(at)_belsec.com, Sava's GuestBook Multiple Vulnerabilities (05.03.2007)

RaeD Hasadya, XXS in script Phorum (05.03.2007)

RaeD Hasadya, Show Password Admin In Script Uploadscript (05.03.2007)

Stefan Friedli, ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities (05.03.2007)

document Sebastian Wolfgarten, [Full-disclosure] Arbitrary file disclosure vulnerability in rrdbrowse <= 1.6 (05.03.2007)

Discuss: Read or add your comments to this news (0 comments)

test server