Archive

Archive for November, 2007

IceBB “X-Forwarded-For” SQL Injection

November 21st, 2007

Application: IceBB
Affected Version: IceBB 1.x
Vendor’s URL: Application site
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code or consult with provider for proper action.

SQL Injection

AutoIndex PHP Script “index.php” URL Cross-Site Scripting

November 21st, 2007

Application: AutoIndex PHP Script
Affected Version: AutoIndex PHP Script 2.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Update to version 2.2.3.

Cross Site Scripting

Eggblog “rss.php” URL Cross-Site Scripting

November 21st, 2007

Application: Eggblog
Affected Version: Eggblog 3.x
Vendor’s URL: Application site
Bug Type: Cross-Site Scripting
Risk Level: Critical

Solution:
Update to version 3.1.1.

Cross Site Scripting

Coppermine Photo Gallery “data” Cross-Site Scripting

November 21st, 2007

Application: Coppermine Photo Gallery
Affected Version: Coppermine Photo Gallery 1.x
Vendor’s URL: Application site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Update to version 1.4.14.

Cross Site Scripting

SugarCRM Module Builder “file” Vulberability

November 21st, 2007

Application: SugarCRM – Module Builder
Affected Version: Module Builder 4.x
Vendor’s URL: Application site
Bug Type: Exposure of sensitive / system information
Risk Level: Critical

Solution:
Update to version 4.5.1.d.

File Inclusion

SyndeoCMS “cmsdir” File Inclusion Vulnerability

November 21st, 2007

Application: SyndeoCMS
Affected Version: SyndeoCMS 2.x
Vendor’s URL: Application site
Bug Type: Access Bypass
Risk Level: Low

Solution:
Update to version 2.5.01.

Access Bypass, Remote Command Execution

Helios Calendar “username” Cross-Site Scripting Vulnerability

November 21st, 2007
Comments Off

Application: Helios Calendar
Affected Version: Helios Calendar 1.x
Vendor’s URL: Application site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Apply latest patch provide officially.

Cross Site Scripting

NetCommons Cross-Site Scripting Vulnerability

November 21st, 2007

Application: NetCommons
Affected Version: NetCommons 1.x
Vendor’s URL: Application site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Update to version 1.0.11 or 1.1.2.

Cross Site Scripting

sBlog Cross-Site Request Forgery Vulnerability

November 21st, 2007

Application: sBlog
Affected Version: sBlog 0.x
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting
Risk Level: High

Solution:
Contact to provider for proper action.

Cross Site Scripting

CONTENTCustomizer “dialog.php” Information Disclosure

November 21st, 2007

Application: CONTENTCustomizer
Affected Version: CONTENTCustomizer 3.x
Vendor’s URL: Application site
Bug Type: Exposure of sensitive information
Risk Level: Critical

Solution:
Contact to provider for proper action.

Remote Command Execution

PHP-AGTC membership system adduser.php Security Bypass

November 21st, 2007

Application: PHP-AGTC
Affected Version: PHP-AGTC 1.x
Vendor’s URL: Application download site
Bug Type: Security Bypass
Risk Level: High

Solution:
Restrict access to adduser.php by .htaccess or contact to provider for proper action.

Access Bypass

WordPress “posts_columns” Cross-Site Scripting

November 21st, 2007

Application: WordPress
Affected Version: WordPress 2.3
Vendor’s URL: Application download site
Bug Type: Cross Site Scripting
Risk Level: High

Solution:
Update to version 2.3.1.

Cross Site Scripting

phpBB Multi-Forums Module Vulnerabilities

November 21st, 2007

Application: phpBB
Affected Version: phpBB Multi-Forums 1.x
Vendor’s URL: Software site
Bug Type: SQL injection
Risk Level: Critical

Solution:
Edit the source code or consult software provider for proper action.

SQL Injection

Simple PHP Blog Multiple Vulnerabilities

November 21st, 2007

Application: Simple PHP Blog
Affected Version: Simple PHP Blog 0.x
Vendor’s URL: Application download site
Bug Type: Security Bypass, Cross Site Scripting, Exposure of system information.
Risk Level: Critical

Solution:
Consult to application provider for proper action.

Access Bypass, Cross Site Scripting

CandyPress “msg” Cross-Site Scripting Vulnerability

November 21st, 2007

Application: CandyPress
Affected Version: CandyPress 4.x
Vendor’s URL: Software site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Edit the source code or consult software provider.

Cross Site Scripting