Computer Security
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:25.12.2006
Source:
SecurityVulns ID:6969
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:ENTHRALLWEB : Enthrallweb ePages 1.0
 ENTHRALLWEB : Enthrallweb eClassifieds 1.0
 ENTHRALLWEB : Enthrallweb eCoupons 1.0
 ENTHRALLWEB : Enthrallweb eNews 1.0
 ENTHRALLWEB : Dragon Business Directory 3.01
 MXMANIA : Calendar MX BASIC 1.0
 OKULMERKEZIPORTA : Okul Merkezi Portal 1.0
 PAGETOOL : Pagetool CMS 1.07
 B2 : B2 blog 0.5
 SHNEWS : SH-News 0.93
 OPENTAPS : opentaps 0.9
 ABLOG : a-blog 1.52
 HLSTATS : HLStats 1.34
 EFKAN : Efkan Forum 1.0
 JINZORA : Jinzora 2.7
 IROKEZ : Irokez CMS 0.7
 ENDONESIA : eNdonesia 8.4
 CIBERIA : ciberia 1.0
 SHADOWEDPORTAL : Shadowed Portal 5.7
 FILEUPLOADMAN : File Upload Manager 1.0
 MXMANIA : Newsletter MX 1.0
 ANANDA : Ananda Real Estate 3.4
 ENTHRALLWEB : Enthrallweb ePhotos 1.0
 ENTHRALLWEB : Enthrallweb eHomes 1.0
 ENTHRALLWEB : Enthrallweb eCars 1.0
 ENTHRALLWEB : Enthrallweb eMates 1.0
CVE:CVE-2007-0840 (Cross-site scripting (XSS) vulnerability in HLstats before 1.35 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the search class. NOTE: it is possible that this issue overlaps CVE-2006-4543.3 or CVE-2006-4454.)
 CVE-2006-4454 (Cross-site scripting (XSS) vulnerability in hlstats.php in HLstats 1.34 allows remote attackers to inject arbitrary web script or HTML via the q parameter.)
Original documentdocumentSECUNIA, [SA23444] a-blog Cross-Site Scripting Vulnerability (25.12.2006)
 documentSECUNIA, [SA23457] opentaps "SEARCH_STRING" Cross-Site Scripting Vulnerability (25.12.2006)
 documentShaFuq31_(at)_HoTMaiL.CoM, b2 - 0.5 * [index] Remote File Include Vulnerability (25.12.2006)
 documentShaFuq31_(at)_HoTMaiL.CoM, Okul Merkezi Portal v1.0 Remote File IncLude Vuln. (25.12.2006)
 documentajannhwt_(at)_hotmail.com, Title : Calendar MX BASIC <= 1.0.2 (ID) Remote SQL Injection Vulnerability (25.12.2006)
 documentajannhwt_(at)_hotmail.com, Title : Dragon Business Directory <= V3.01.12 (ID) Remote SQL Injection Vulnerability (25.12.2006)
 documentajannhwt_(at)_hotmail.com, Enthrallweb eCars 1.0 (types.asp) Remote SQL Injection Vulnerability (25.12.2006)
 documentajannhwt_(at)_hotmail.com, Title : Enthrallweb eHomes 1.0 Multiple (SQL/XSS) Vulnerabilities (25.12.2006)
 documentajannhwt_(at)_hotmail.com, Enthrallweb ePhotos 1.0 (subLevel2.asp) Remote SQL Injection Vulnerability (25.12.2006)
 documentajannhwt_(at)_hotmail.com, Ananda Real Estate <= 3.4 (agent) Remote SQL Injection Vulnerability (25.12.2006)
 documentcw.cybersecurity_(at)_gmail.com, myPHPNuke Gallery Module (basepath) Remote File Include (25.12.2006)
 documentcw.cybersecurity_(at)_gmail.com, Shadowed Portal 5.7. Roster Module (mod_root) Remote File Include (25.12.2006)
 documentz1ckX(ru), bugs for Endonesia8.4 (25.12.2006)
 documentnuffsaid, Irokez CMS <= 0.7.1 Multiple Remote File Include Vulnerabilities (25.12.2006)
 documentnuffsaid, Jinzora <= 2.7 (include_path) Multiple Remote File Include Vulnerabilities (25.12.2006)
 documentCorryL, [Full-disclosure] TimberWolf 1.2.2 vulnerable to XSS (25.12.2006)
 documentxx_hack_xx_2004_(at)_hotmail.com, Multiple Bugs in Future Internet ( XSS & SQL Injection ) (25.12.2006)
 documentShaFuq31_(at)_HoTMaiL.CoM, Efkan Forum v1.0 SqL Inj. Vuln. (25.12.2006)
Files:Newsletter MX <= 1.0.2 (ID) Remote SQL Injection Exploit
 File Upload Manager <= 1.0.6 (detail.asp) Remote SQL Injection Exploit
 Enthrallweb eNews 1.0 Remote User Pass Change Exploit
 Enthrallweb eCoupons 1.0(myprofile.asp) Remote Pass Change Exploit
 Enthrallweb eClassifieds 1.0 Remote User Pass Change Exploit
 Enthrallweb ePages (actualpic.asp) Remote SQL Injection Exploit
 Enthrallweb emates 1.0 (newsdetail.asp) Remote SQL Injection Exploit
 Enthrallweb eJobs (newsdetail.asp) Remote SQL Injection Exploit
 Exploits Pagetool CMS <=1.07 (RFI)
 SH-News 0.93 (misc.php) Remote File Include Exploit
 Exploits HLStats HLStats <=1.34 and Hlstats >= 1.20 SQL Inection + Path Disclosure
 MTCMS <= 2.0 (admin/admin_settings.php) Remote File Include Exploit
 ciberia 1.0<(Ciberia Content Federator)>(maquetacion_socio.php) Remote File Inclusion Exploit

acFTP FTP Server DoS
Published:25.12.2006
Source:
SecurityVulns ID:6971
Type:remote
Threat Level:
5/10
Description:Crash on REST command with invalid argument.
Affected:ACFTP : acFTP 1.5
Files:acFTP 1.5 (REST/PBSZ) Denial of Service

Multiple browsers DNS pinning protection bypass
Published:25.12.2006
Source:
SecurityVulns ID:6970
Type:remote
Threat Level:
6/10
Description:By emulatin Web server failure it's possible to bypass DNS pinning protection (protection against changing IP address resolution by DNS name for crossite access)
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MOZILLA : Firefox 1.5
 MICROSOFT : Windows 2003
 MOZILLA : Firefox 2.0
 MICROSOFT : Windows Vista
Original documentdocumentKanatoko, [Full-disclosure] DNS-Pinning demo (25.12.2006)

NeoTrace ActiveX buffer overflow
Published:25.12.2006
Source:
SecurityVulns ID:6972
Type:client
Threat Level:
5/10
Description:Buffer overflow on oversized NeoTraceExplorer.NeoTraceLoader element TraceTarget() method argument.
Affected:NEOTRACE : Neotrace 3.25
 MCAFEE : McAfee Visual Trace 3.25
Original documentdocumentSECUNIA , [SA23463] NeoTrace Express/Pro ActiveX Control "TraceTarget()" Buffer Overflow (25.12.2006)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod