Archive

Archive for January, 2007

Indexu Multiple XSS

January 18th, 2007
Comments Off

Application: Indexu
Version: 5.x or below
Vendor’s URL: http://www.nicecoder.com/
Bug type: Cross Site Scripting
Risk: High

Solution:
- Edit the source code to ensure that input is properly sanitised
- Application upgrade to latest version
- Vendor patch

Cross Site Scripting, General Purpose Directories

InstantForum.NET Members1/Logon.aspx XSS

January 18th, 2007
Comments Off

Application: InstantForum.NET
Version: 4.1.0 or below
Vendor’s URL: http://www.instantasp.co.uk/Products/InstantForum/Default.aspx
Bug type: Cross Site Scripting
Risk: Low

Solution:
- Currently waiting for the bugs fix from respected vendor.

Cross Site Scripting, Discussion Boards

PHP-Nuke “cat” Old Articles Block SQL Injection

January 18th, 2007
Comments Off

Application: php-nuke
Version: 7.9 or below
Vendor’s URL: http://www.phpnuke.org
Bug type: Sql Injection
Risk: Medium

Solution:
- Turn off register globals
- You can modify the source code adding in the /index.php file some like this:
$cat = ($_GET['cat']) ? filter($_GET['cat'], “nohtml”) : ”;
- That’s a momentary solution to the problem. We recommend to get the PHP-Nuke 8.0 version.
- Use another product.

Content Management, SQL Injection

Mybloggie XSS Vulnerability

January 18th, 2007
Comments Off

Application: mybloggie
Version: 2.1.5
Vendor’s URL: http://mywebland.com/download.php?id=19
Bug type: Cross Site Scripting
Risk: Medium

Solution:
- If you are using this cms, please keep your eyes close to vendor site for further update to fix the bug mentioned.

Blogs, Cross Site Scripting