Archive

Archive for June, 2007

Joomla JEvents Component Remote File Include

June 21st, 2007

Application: Joomla
Affected Version: Joomla JEvents Component 1.4.1
Vendor’s URL: http://www.joomla.org/
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to make sure input is properly verified
Disable the component, remove it from directory and wait for updates or patches from vendor

Content Management, File Inclusion

PHPMailer Remote Command Execution

June 21st, 2007

Application: PHPMailer
Affected Version: 1.73 or other versions may be affected
Vendor’s URL: http://phpmailer.sourceforge.net/
Bug Type: Remote Command Execution
Risk Level: Critical

Solution:
Edit the source code to make sure input is properly verified
Stop using this application until patch is released.
Waiting for updates or patches from vendor

Mailing Lists, Remote Command Execution

PHP Live! Request.PHP Cross-Site Scripting

June 21st, 2007

Application: PHP Live!
Affected Version: 3.2.2 or other versions may be affected
Vendor’s URL: http://www.phplivesupport.com/
Bug Type: Cross-Site Scripting
Risk Level: Medium

Solution:
Waiting for updates or patches from vendor

Cross Site Scripting, Customer Relationship

WordPress XML-RPC SQL Injection

June 21st, 2007

Application: WordPress
Affected Version: 2.2 or earlier
Vendor’s URL: http://www.wordpress.org/
Bug Type: SQL Injection
Risk Level: Medium

Solution:
Waiting for updates or patches from vendor

Content Management, SQL Injection

YaBB CRLF Injection Privilege Escalation

June 15th, 2007

Application: YABB Forum
Affected Version: 2.1 or other versions may be affected
Vendor’s URL: http://www.yabbforum.com/
Bug Type: Privilege Escalation
Risk Level: Critical

Solution:
Apply patch.
http://www.yabbforum.com/community/?board=general;action=display;num=1181678785

Discussion Boards, Privilege Escalation

Xoops XT-Conteudo Module “spaw_root” Vulnerability

June 15th, 2007

Application: XT-Conteudo 1.x (module for Xoops)
Affected Version: 3 or other version may be affected
Vendor’s URL: http://www.xoops.org/
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to make sure input is properly verified
Disable the module, remove it from directory and wait for updates or patches from vendor

Content Management, File Inclusion

Xoops Cjay Content WYSIWYG IE Module Vulnerability

June 15th, 2007

Application: Cjay Content WYSIWYG IE 3.x (module for Xoops)
Affected Version: 3 or other versions may be affected
Vendor’s URL: http://www.xoops.org/
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to make sure input is properly verified
Disable the module, remove it from directory and wait for updates or patches from vendor

Content Management, File Inclusion