Archive

Archive for August, 2007

Coppermine Photo Gallery YABBSE.INC.PHP Remote File Include Vulnerability

August 30th, 2007

Application Affected :
Coppermine Photo Gallery 1.4
Coppermine Photo Gallery 1.3.4
Coppermine Photo Gallery 1.3.3
Coppermine Photo Gallery 1.3.2
Coppermine Photo Gallery 1.3.1

Vendor’s URL: CopperMine HomePage
Bug Type: Input Validation
Risk Level: Medium

Solution: The fix will be included in newer version of Coppermine Photo Gallery 1.4.2 .

Applications, File Inclusion, Image Galleries, Vulnerabilities

WordPress PHP_Self Cross-Site Scripting Vulnerability

August 27th, 2007

Application Affected:
WordPress WordPress 2.1.2
WordPress WordPress 2.1.1
WordPress WordPress 2.0.10
WordPress WordPress 2.0.7
WordPress WordPress 2.0.6
WordPress WordPress 2.0.5
WordPress WordPress 2.0.4
WordPress WordPress 2.0.3
WordPress WordPress 2.0.2
WordPress WordPress 2.0.1
WordPress WordPress 2.0
WordPress WordPress 2.2 Revision 5003
WordPress WordPress 2.2 Revision 5002
WordPress WordPress 2.1.3-RC1
WordPress WordPress 2.1
WordPress WordPress 2.0.10-RC1

Vendor’s URL: WordPress HomePage
Bug Type: Input Validation
Risk Level: Medium

Solution: The fix will be included in newer version of WordPress 2.2.2 .

Applications, Blogs, Cross Site Scripting

Joomla SimpleFAQ components SQL Injection

August 24th, 2007

Application: Joomla
Affected Version: Joomla component [SimpleFAQ 2.40]
Vendor’s URL: http://forum.joomla.org/
Bug Type: SQL Injection
Risk Level: Medium

Solution: Edit the source code of components or contact to developer for latest update.

SQL Injection

WordPress Pool Theme Url XSS

August 24th, 2007

Application: WordPress
Affected Version: WordPress Pool Theme 1.0.7
Vendor’s URL: http://www.lamateporunyogur.net/pool
Bug Type: Url Cross Site Scripting
Risk Level: Low

Solution: Edit the source code of theme, change to another theme or contact to theme developer for latest fix version.

Cross Site Scripting

Drupal Modules Access Bypass

August 24th, 2007

Application: Drupal
Affected Version:
* Project module 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3
* Project issue tracking module 5.x-1.0, 4.7.x-2.4, and 4.7.x-1.4
Vendor’s URL: http://drupal.org/
Bug Type: Access bypass
Risk Level: Medium

Solution:
- Update the version of Project module and Project issue tracking module accordingly.
http://drupal.org/node/168760

Access Bypass

Drupal Content Construction Kit Nodereference Module XSS

August 17th, 2007

Application: Drupal
Affected Version: Content Construction Kit (CCK) (third-party module) 4.7.x, 5.x
Vendor’s URL: http://drupal.org/
Bug Type: Cross site Scripts Injection
Risk Level: Critical

Solution:
- Install the latest CCK release corresponding to your Drupal version :
* CCK 4.7.x-1.6.
* CCK 5.x-1.6.

Cross Site Scripting

Remote command execution in Joomla! CMS

August 17th, 2007

Application: Joomla
Affected Version: 1.5 beta 2
Vendor’s URL: http://www.joomla.org/
Bug Type: Command Execution
Risk Level: Medium

Solution:
Upgrade to latest stable version 1.5 RC immediately which fixed the issue!

Remote Command Execution