Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:		17.12.2010
Source:
SecurityVulns ID:		11310
Type:		remote
Level:		5/10
Description:		PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.

Affected:		SLICKMSG : slickMsg 0.7
		POINTERPHP : Pointter PHP Content Management System 1.0
		SOCIALSHARE : Social Share 2010-06-05
CVE:		CVE-2010-4333 (Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.)
		CVE-2010-4332 (Pointter PHP Content Management System 1.0 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.)
		CVE-2010-4277 (Cross-site scripting (XSS) vulnerability in lembedded-video.php in the Embedded Video plugin 4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the content parameter to wp-admin/post.php.)

Original document		CHECKPOINT, Embedded Video WordPress Plugin Cross Site Vulnerability (XSS) - CVE-2010-4277 (17.12.2010)
		Aliaksandr Hartsuyeu, www.eVuln.com : "link" and "linkdescription" XSS in Social Share (17.12.2010)
		Aliaksandr Hartsuyeu, www.eVuln.com : "titl","url" - Non-persistent XSS in Social Share (17.12.2010)
		ProCheckUp Research, PR10-06: Cross-domain redirect on PGP Universal Web Messenger (17.12.2010)
		Aliaksandr Hartsuyeu, www.eVuln.com : "error" Non-persistent XSS in slickMsg (17.12.2010)
		MustLive, Новые уязвимости в eSitesBuilder (17.12.2010)
		Mark Stanislav, 'Pointter PHP Micro-Blogging Social 'Pointter PHP Content Management System' Unauthorized Privilege Escalation (CVE-2010-4332) (17.12.2010)
		Mark Stanislav, 'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation (CVE-2010-4333) (17.12.2010)

Discuss:

Read or add your comments to this news (0 comments)

Eucalyptus unauthorized access
Published:		17.12.2010
Source:		BUGTRAQ
SecurityVulns ID:		11311
Type:		remote
Level:		5/10
Description:		Old password is not verified during password reset in administration interface.

Affected:		EUCALYPTUS : eucalyptus 2.0
CVE:		CVE-2010-3905 (The password reset feature in the administrator interface for Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which allows remote attackers to gain privileges by sending password reset requests for other users.)

Original document

UBUNTU, [USN-1033-1] Eucalyptus vulnerability (17.12.2010)

Discuss:

Read or add your comments to this news (0 comments)

Alt-N WebAdmin information disclosure
Published:		17.12.2010
Source:		BUGTRAQ
SecurityVulns ID:		11312
Type:		remote
Level:		5/10
Description:		It's possible to obtain file source code by adding %20 or %2e to request.

Affected:		ALTN : WebAdmin 3.3
		ALTN : U-Mail 9.8

Original document

wsn1983_(at)_gmail.com, Alt-N WebAdmin Source Code Disclosure (17.12.2010)

Discuss:

Read or add your comments to this news (0 comments)

HP Discovery & Dependency Mapping Inventory
Published:		17.12.2010
Source:		BUGTRAQ
SecurityVulns ID:		11313
Type:		remote
Level:		5/10

Affected:		HP : HP Discovery & Dependency Mapping Inventory 7.51
		HP : HP Discovery & Dependency Mapping Inventory 2.52
		HP : HP Discovery & Dependency Mapping Inventory 7.61
CVE:		CVE-2010-4114 (Cross-site scripting (XSS) vulnerability in HP Discovery & Dependency Mapping Inventory (DDMI) 2.5x, 7.5x, and 7.6x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)

Original document

HP, [security bulletin] HPSBMA02617 SSRT100338 rev.1 - HP Discovery & Dependency Mapping Inventory (DDMI) Running on Windows, Remote Cross SIte Scripting (XSS) (17.12.2010)

Discuss:

Read or add your comments to this news (0 comments)

HP StorageWorks MSA2000 backdoor account updated since 15.12.2010
Published:		17.12.2010
Source:		BUGTRAQ
SecurityVulns ID:		11299
Type:		remote
Level:		6/10
Description:		Hidden backdoor account 'admin' with password '!admin'

Affected:		HP : StorageWorks MSA2000
CVE:		CVE-2010-4115 (HP StorageWorks Modular Smart Array P2000 G3 firmware TS100R011, TS100R025, TS100P002, TS200R005, TS201R014, and TS201R015 installs an undocumented admin account with a default "!admin" password, which allows remote attackers to gain privileges.)

Original document		HP, [security bulletin] HPSBST02620 SSRT100356 rev.1 - HP StorageWorks Modular Smart Array P2000 G3, Remote Unauthorized Access (17.12.2010)
		Pavel Kankovsky, Re: hidden admin user on every HP MSA2000 G3 (15.12.2010)
		hpdisclosure_(at)_anonmail.de, hidden admin user on every HP MSA2000 G3 (15.12.2010)

Discuss:

Read or add your comments to this news (0 comments)

HP Power Manager code execution
Published:		17.12.2010
Source:		BUGTRAQ
SecurityVulns ID:		11314
Type:		remote
Level:		5/10

CVE:

CVE-2010-4113 (Stack-based buffer overflow in HP Power Manager (HPPM) before 4.3.2 allows remote attackers to execute arbitrary code via a long Login variable to the management web server.)

Original document

HP, [security bulletin] HPSBMA02545 SSRT100139 rev.1 - HP Power Manager (HPPM) Running on Linux and Windows, Remote Execution of Arbitrary Code (17.12.2010)

Discuss:

Read or add your comments to this news (0 comments)