Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:		24.01.2008
Source:		BUGTRAQ
SecurityVulns ID:		8598
Type:		remote
Level:		5/10
Description:		PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. Relay: SQL injection and crossite scripting.

Affected:		WOLTLAB : Woltlab Burning Board 2.3
		TIKIWIKI : tikiwiki 1.9
		RELAY : Relay 1.0
		WORDPRESS : Dean’s Permalinks Migration 1.0
		WEBWIZ : Web Wiz Forums 9.07
		WEBWIZ : Web Wiz Rich Text Editor 4.0
		WEBWIZ : Web Wiz NewsPad 1.02
CVE:		CVE-2007-6529 (Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have unknown impact and attack vectors involving (1) tiki-edit_css.php, (2) tiki-list_games.php, or (3) tiki-g-admin_shared_source.php.)
		CVE-2007-6528 (Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and modified filename in the movie parameter.)
		CVE-2007-6526 (Cross-site scripting (XSS) vulnerability in tiki-special_chars.php in TikiWiki before 1.9.9 allows remote attackers to inject arbitrary web script or HTML via the area_name parameter.)

Original document		0in.email_(at)_gmail.com, Tiger PHP News System SQL Injection (24.01.2008)
		GENTOO, [ GLSA 200801-10 ] TikiWiki: Multiple vulnerabilities (24.01.2008)
		nbbn_(at)_gmx.net, Woltlab Burning Board 2.3.6 PL2 Remote Delete Thread XSRF Vulnerability (24.01.2008)
		admin_(at)_bugreport.ir, Web Wiz Rich Text Editor Directory traversal + HTM/HTML file creation on the server (24.01.2008)
		admin_(at)_bugreport.ir, Web Wiz NewsPad Directory traversal (24.01.2008)
		admin_(at)_bugreport.ir, Web Wiz Forums Directory traversal (24.01.2008)
		g30rg3_x, XSRF under Dean’s Permalinks Migration 1.0 (24.01.2008)
		MustLive, New vulnerabilities in Relay (24.01.2008)

Discuss:

Read or add your comments to this news (0 comments)