 |
|
|
|
| Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | | Published: |  | 21.12.2009 | | Source: |  | | | SecurityVulns ID: |  | 10485 | | Type: |  | remote | | Level: |  | 5/10 | | Description: |  | PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. |
| Affected: |  | DVBBS : Dvbbs 7.1 | | | | SIMPLEPHPBLOG : Simple PHP Blog 0.5 | | | | PHPCALENDAR : PHP-Calendar 1.1 | | | | GANETI : Ganeti 1.2 | | | | GANETI : Ganeti 2.0 | | | | GANETI : Ganeti 2.1 | | | | SIMPLEMACHINES : Simple Machine Forum 1.1 | | | | PHPPOLLSCRIPT : phpPollScript 1.3 | | CVE: |  | CVE-2009-4261 (Multiple directory traversal vulnerabilities in the iallocator framework in Ganeti 1.2.4 through 1.2.8, 2.0.0 through 2.0.4, and 2.1.0 before 2.1.0~rc2 allow (1) remote attackers to execute arbitrary programs via a crafted external script name supplied through the HTTP remote API (RAPI) and allow (2) local users to execute arbitrary programs and gain privileges via a crafted external script name supplied through a gnt-* command, related to "path sanitization errors.") | | | | CVE-2009-3702 (Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.) |
|
|
|
|
|
|
|
|
