Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:		24.10.2011
Source:
SecurityVulns ID:		11995
Type:		remote
Threat Level:		5/10
Description:		PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected:		SITEATSCHOOL : [email protected] 2.4
		OPENENGINE : openEngine 2.0
		TINE20 : Tine 2.0
		OCSINVENTORYNG : OCS Inventory NG 2.0
		YETANOTHERCMS : Yet Another CMS 1.0
		DOLPHIN : Dolphin 7.0
		WORDPRESS : BackWPUp 2.1
		BUGFREE : BugFree 2.1
		WORDPRESS : Pretty Link 1.4
		LEDGERSMB : LedgerSMB 1.3
		ZOHO : ADSelfService Plus 4.5
		JOOMLA : JCE 2.0
		KAIBB : KaiBB 2.0
		CONTAO : Contao 2.10
		ACTIVEDEV : Active CMS 1.2
		SIMPLEPRESS : Simple:Press Forum 4.4
CVE:		CVE-2011-4024 (Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
		CVE-2011-1364 (Cross-site request forgery (CSRF) vulnerability in _ah/admin/interactive/execute (aka the Interactive Console) in the SDK Console (aka Admin Console) in the Google App Engine Python SDK before 1.5.4 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary Python code via the code parameter.)
		CVE-2009-3580 (Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action.)

Original document		MustLive, Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress (24.10.2011)
		BHG Security Center, Joomla Component (com_sgicatalog) <= SQL Injection Vulnerability (24.10.2011)
		sschurtz_(at)_t-online.de, Active CMS 1.2.0 'mod' Cross-site Scripting Vulnerability (24.10.2011)
		sschurtz_(at)_t-online.de, Contao 2.10.1 Cross-site scripting vulnerability (24.10.2011)
		sschurtz_(at)_t-online.de, openEngine 2.0 'key' Blind SQL Injection vulnerability (24.10.2011)
		sschurtz_(at)_t-online.de, KaiBB 2.0.1 XSS and SQL Injection vulnerabilities (24.10.2011)
		admin_(at)_bugreport.ir, msgid:[email protected][email protected]&[email protected]&folder=\\3APA3A\Bugtraq&subject=Related%20POC%20for%20JCE%20Joomla%20Extension%20<%3D2 (24.10.2011)
		roberto.paleari_(at)_emaze.net, ZOHO ManageEngine ADSelfService Plus Administrative Access (24.10.2011)
		Adi Sharabani, Google App Enging SDK Code Execution Vulnerability (CVE 2011-1364) (24.10.2011)
		Chris Travers, LedgerSMB 1.3.0 released, includes anti-XSRF framework (24.10.2011)
		High-Tech Bridge Security Research, Multiple vulnerabilities in BugFree (24.10.2011)
		High-Tech Bridge Security Research, Multiple vulnerabilities in Pretty Link WordPress Plugin (24.10.2011)
		Drew Calcott, Security-Assessment.com Advisory: Destination Search Admin Console Access Control Bypass (24.10.2011)
		lists_(at)_senseofsecurity.com, WordPress Plugin BackWPUp 2.1.4 - Security Advisory - SOS-11-012 (24.10.2011)
		noreply_(at)_ptsecurity.ru, [PT-2011-14] SQL injection vulnerability in BoonEx Dolphin (24.10.2011)
		sschurtz_(at)_t-online.de, [email protected] 2.4.10 SQL Injection & XSS vulnerabilities (24.10.2011)
		n0b0d13s_(at)_gmail.com, Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection (24.10.2011)
		sschurtz_(at)_t-online.de, Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities (24.10.2011)
		High-Tech Bridge Security Research, Multiple vulnerabilities in Tine 2.0 (24.10.2011)
		Nicolas DEROUET, OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024) (24.10.2011)
		sschurtz_(at)_t-online.de, Metasploit 4.1.0 Web UI stored XSS vulnerability (24.10.2011)
		md.r00t.defacer_(at)_gmail.com, inCommand Technologies, Inc. Cross-site Scripting Vulnerability (24.10.2011)