Computer Security
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:10.11.2008
Source:
SecurityVulns ID:9411
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. CimWebCenter: crossite scripting, informationleakage.
Affected:GALLERY : Gallery 1.5
 INDISGUISE : Enthusiast 3.1
 MOINMOIN : MoinMoin 1.5
 HMAILSERVER : hMAilServer 4.4
 CIMWEBCENTER : CimWebCenter 4.0
 COLLABTIVE : Collabtive 0.4
 GALLERY : Gallery 2.2
 ARABPORTAL : Arab Portal 2.1
 BOGDUMP : BigDump 0.29
CVE:CVE-2008-4931 (Cross-site scripting (XSS) vulnerability in the account module in firmCHANNEL Digital Signage 3.24, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the action parameter to index.php.)
 CVE-2008-4130 (Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 allows remote attackers to inject arbitrary web script or HTML via a crafted Flash animation, related to the ability of the animation to "interact with the embedding page.")
 CVE-2008-4129 (Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.)
 CVE-2008-3662 (Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.)
 CVE-2008-3600 (Directory traversal vulnerability in contrib/phpBB2/modules.php in Gallery 1.5.7 and 1.6-alpha3, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phpEx parameter within a modload action.)
Original documentdocumentXiaShing_(at)_gmail.com, Remote access vulnerability using BigDump ver. 0.29b (10.11.2008)
 documentr3d.w0rm_(at)_yahoo.com, Arab Portal v2.1 Remote File Disclosure (Win32) (10.11.2008)
 documentnospam_(at)_email.it, hMAilServer 4.4.2 (PHPWebAdmin) local & remote file inclusion (10.11.2008)
 documentBrad Antoniewicz, FirmChannel Digital Signage 3.24 Cross-site scripting (10.11.2008)
 documentbeenudel1986_(at)_gmail.com, DriveCMS article.php remote sql injection (10.11.2008)
 documentadmin_(at)_bugreport.ir, Enthusiast 3 Remote Code Execution (10.11.2008)
 documentf.bianchino_(at)_gmail.com, Metrica Service Assurance Multiple Cross Site Scripting (10.11.2008)
 documentXiaShing_(at)_gmail.com, Multiple remote vulnerabilities MoinMoin v1.80 (10.11.2008)
 documentascii, Collabtive 0.4.8 Multiple Vulnerabilities (10.11.2008)
 documentMustLive, Vulnerabilities in CimWebCenter (10.11.2008)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod