Archive

Archive for September, 2007

Joomla Joomla!12Pictures Component File Inclusion

September 21st, 2007

Application: Joomla
Affected Version: Joomla!12Pictures 1.x
Vendor’s URL: -
Bug Type: Malicious Access
Risk Level: High

Solution:
Edit the source code or look for patch file.

Access Bypass

Joomla Joomla!FlashFun Component File Inclusion

September 21st, 2007

Application: Joomla
Affected Version: Joomla!FlashFun 1.x
Vendor’s URL: Jooma!FlashFun Homepage
Bug Type: File Inclusion
Risk Level: High

Solution:
Edit the source code & contact to component developer.

File Inclusion

phpBB Styles Demo Module Multiples Vulnerability

September 21st, 2007

Application: PhpBB
Affected Version: Styles Demo Module 1.x
Vendor’s URL: PhpBB Homepage
Bug Type: SQL Injection & Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code & contact to developer.

Cross Site Scripting, SQL Injection

Joomla Nice Talk Component “tagid” SQL Injection

September 21st, 2007

Application: Joomla
Affected Version: Nice Talk 0.x.
Vendor’s URL: Nice Talk Homepage
Bug Type: SQL Injection Attacks
Risk Level: Critical

Solution:
- Edit the source code and ensure the input is sanitised.

SQL Injection

Joomla NeoRecruit Component SQL Injection

September 21st, 2007

Application: Joomla
Affected Version: NeoRecruit 1.x
Vendor’s URL: NeoRecruit DownloadPage
Bug Type: SQL Injection Attack
Risk Level: Critical

Solution:
Update to version 1.4.1.

SQL Injection

MediaWiki XSS

September 21st, 2007

Application: MediaWiki
Affected Version:
MediaWiki 1.11 < = 1.11.0rc1
MediaWiki 1.10 <= 1.10.1
MediaWiki 1.9 <= 1.9.3
MediaWiki 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
Vendor’s URL: MediaWiki HomePage
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version
1.11.0, 1.10.2, 1.9.4, or 1.8.5.

Cross Site Scripting, Remote Command Execution

Joomla Restaurante Component File Upload Vulnerability

September 21st, 2007

Application: Joomla
Affected Version: Restaurante 1.x
Vendor’s URL: Restaurante DownloadPage
Bug Type: Malicious file upload cause script exploit
Risk Level: High

Solution:
Update to latest version.

Remote Command Execution

WordPress Multiple Vulnerabilities

September 21st, 2007

Application: WordPress
Affected Version: WordPress 2.x & WordPress MU 1.x
Vendor’s URL: WordPress HomePage
Bug Type: Script Insertion and SQL Injection
Risk Level: Critical

Solution:
Update to WordPress version 2.2.3 & WordPress MU version 1.2.5a.

Cross Site Scripting, SQL Injection

Invision Power Board Multiple Vulnerabilities

September 21st, 2007

Application: Invision Power Board
Affected Version: 2.x
Vendor’s URL: Invision Power Board HomePage
Bug Type: Security bypass & Cross site scripting
Risk Level: Medium

Solution:
Download the latest version.
Apply the patch from vendor by refer instruction given.

Access Bypass, Cross Site Scripting

Joomla components Joomlaradio File Inclusion

September 21st, 2007

Application: Joomla
Affected Version: Joomlaradio 5.x & other version might affected
Vendor’s URL: -
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code or consult vendor.

File Inclusion

TinyWebGallery Multiple URL XSS

September 21st, 2007

Application: TinyWebGallery
Affected Version: 1.6.3.4 & other version
Vendor’s URL: TinyWebGallery HomePage
Bug Type: Remotely Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code or consult to application developer.

Cross Site Scripting

Coppermine XSS and Local File Inclusion

September 20th, 2007

Application: Coppermine
Affected Version: 1.4.12 and prior version
Vendor’s URL: http://coppermine-gallery.net/
Bug Type: Cross Site Scripting & Exposure of system information
Risk Level: Medium

Solution:
Update to version 1.4.13.

Cross Site Scripting

Mambo Component AkoBook Scripts Insertion

September 20th, 2007

Application: Mambo
Affected Version: 3.42
Vendor’s URL: http://www.mamboportal.com/
Bug Type: Scripts Insertion Attacks
Risk Level: Medium

Solution:
Edit the source code of components or contact to developer for latest update.

Cross Site Scripting