Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:03.03.2011
Source:
SecurityVulns ID:11476
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:CUBECART : CubeCart 2.0
 PHPIDS : PHPIDS 0.6
 TRIBIQ : Tribiq CMS 5.2
 PRESTASHOP : Prestashop Cartium 1.3
 PRESTASHOP : Prestashop 1.3
 XTCMODIFIED : xtcModified 1.05
 PRAYGAN : Pragyan CMS 3.0
 PHOTOPOST : PhotoPost PHP 4.8
 ALCATEL : OmniPCX Enterprise 9.0
 PYWEBDAV : pywebdav 0.9
 ALCATEL : OmniVista 4760 NMS 5.1
CVE:CVE-2011-0437 (shared/inc/sql/ssh.php in the SSH accounts management implementation in Domain Technologie Control (DTC) before 0.32.9 allows remote authenticated users to delete arbitrary accounts via the edssh_account parameter in a deletesshaccount Delete action.)
 CVE-2011-0436 (The register_user function in client/new_account_form.php in Domain Technologie Control (DTC) before 0.32.9 includes a cleartext password in an e-mail message, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.)
 CVE-2011-0435 (Domain Technologie Control (DTC) before 0.32.9 does not require authentication for (1) admin/bw_per_month.php and (2) client/bw_per_month.php, which allows remote attackers to obtain potentially sensitive bandwidth information via a direct request.)
 CVE-2011-0434 (Multiple SQL injection vulnerabilities in Domain Technologie Control (DTC) before 0.32.9 allow remote attackers to execute arbitrary SQL commands via the cid parameter to (1) admin/bw_per_month.php or (2) client/bw_per_month.php.)
 CVE-2011-0432 (Multiple SQL injection vulnerabilities in the get_userinfo method in the MySQLAuthHandler class in DAVServer/mysqlauth.py in PyWebDAV before 0.9.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) user or (2) pw argument. NOTE: some of these details are obtained from third party information.)
Original documentdocumentddivulnalert_(at)_ddifrontline.com, DDIVRT-2010-30 Alcatel-Lucent OmniVista 4760 NMS 'lang' Directory Traversal Vulnerability [ CVE-2011-0345 ] (03.03.2011)
 documentDEBIAN, [SECURITY] [DSA 2177-1] pywebdav security update (03.03.2011)
 documentDEBIAN, [SECURITY] [DSA 2179-1] dtc security update (03.03.2011)
 documentIDEFENSE, iDefense Security Advisory 03.01.11: Alcatel-Lucent OmniPCX Enterprise CS CGI Cookie Buffer Overflow Vulnerability (03.03.2011)
 documentRoot_(at)_d99y.com, PhotoPost PHP 4.8c (showgallery.php) Cross Site Scripting (03.03.2011)
 documentRoot_(at)_d99y.com, CubeCart 2.0.6 SQL injection / Cross Site Scripting (03.03.2011)
 documentAntonio San Martino, Prestashop Cartium 1.3.3 Multiple Cross Site Scripting (XSS) (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22855: XSRF (CSRF) in Pragyan CMS (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22856: XSS vulnerability in Pragyan CMS (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22853: XSS vulnerability in Pragyan CMS (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22857: Path disclosure in Tribiq CMS (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22864: XSS vulnerability in xtcModified (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22863: XSS vulnerability in xtcModified (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22866: XSS vulnerability in xtcModified (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22865: XSS vulnerability in xtcModified (03.03.2011)
 documentHigh-Tech Bridge Security Research, HTB22837: Path disclosure in PrestaShop (03.03.2011)
 documentMustLive, Уязвимости в PHPIDS (03.03.2011)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod