Application: CMS Made Simple
Affected Version: version 1.2.4 and prior versions.
Vendor’s URL: CMS Made Simple
Bug Type: System access
Risk Level: Critical
Solution:
Update to version 1.2.5.
Archive for May, 2008
CMS Made Simple Multiple File Extensions
Published by May 21st, 2008 in Access Bypass and Content Management.Application: AJ E-Commerce
Affected Version: version 2.0 and other versions.
Vendor’s URL: AJ E-Commerce
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
CMS Faethon “what” Cross-Site Scripting
Published by May 21st, 2008 in Content Management and Cross Site Scripting.Application: CMS Faethon
Affected Version: version 2.2 and other versions.
Vendor’s URL: CMS Faethon
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: fipsCMS
Affected Version:
Vendor’s URL: fipsCMS
Bug Type: SQL Injecton
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: Galleristic
Affected Version: version 1.0 and other versions.
Vendor’s URL: Galleristic
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: Maian Guestbook
Affected Version: version 3.2 and other versions.
Vendor’s URL: Maian Guestbook
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: SazCart
Affected Version: version 1.5.1 and other versions.
Vendor’s URL: SazCart
Bug Type: SQL injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly verified and sanitized.
Set “register_globals” to “Off” and “magic_quotes_gpc” to “On”.
Joomla DatsoGallery Component SQLi
Published by May 21st, 2008 in Content Management and SQL Injection.Application: Joomla
Affected Version: version 1.6 and other versions.
Vendor’s URL: Joomla DatsoGallery Component
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized
phpDirectorySource SQL Injection
Published by May 21st, 2008 in General Purpose Directories and SQL Injection.Application: phpDirectorySource
Affected Version: version 1.1.06 and other versions.
Vendor’s URL: phpDirectorySource
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: Auction XL
Affected Version:
Vendor’s URL: Auction XL
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: Miniweb
Affected Version: version 2.0 and other versions.
Vendor’s URL: Miniweb
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Filter malicious characters and character sequences using a proxy.
Application: Online Rental Property Script
Affected Version: version 4.5 and other versions.
Vendor’s URL: Online Rental Property Script
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Filter malicious characters and character sequences using a proxy.
ITCms Arbitrary PHP Code Execution
Published by May 21st, 2008 in Content Management and Remote Command Execution.Application: ITCms
Affected Version: version 1.9 and other versions.
Vendor’s URL: ITCms
Bug Type: Code execution
Risk Level: Critical
Solution:
Restrict access to trusted users only.
DeluxeBB SQL Injection and PHP Code Execution
Published by May 21st, 2008 in Discussion Boards, File Inclusion and SQL Injection.Application: DeluxeBB
Affected Version: version 1.2 and other versions.
Vendor’s URL: DeluxeBB
Bug Type: SQL Injection and code execution
Risk Level: Critical
Solution:
Apply the Patch.
Maian Weblog Multiple Cross-Site Scripting
Published by May 21st, 2008 in Blogs and Cross Site Scripting.Application: Maian Weblog
Affected Version: version 4.0 and other versions.
Vendor’s URL: Maian Weblog
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: Harris WapChat
Affected Version: version 1.0 and other versions.
Vendor’s URL: Harris WapChat
Bug Type: File Inclusion
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly verified.
Use another product.
Application: BlogMe
Affected Version: version 1.1 and other versions.
Vendor’s URL: BlogMe
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
Application: Jokes Site Script
Affected Version:
Vendor’s URL: Jokes Site Script
Bug Type: SQL Injection
Risk Level: Critical
Solution:
dit the source code to ensure that input is properly sanitized.
Application: FluentCMS
Affected Version: version 4.x
Vendor’s URL: FluentCMS
Bug Type: SQL Injection
Risk Level: Critical
Solution:
Edit the source code to ensure that input is properly sanitized.
XOOPS Various Bluemoon inc. Modules XSS
Published by May 21st, 2008 in Content Management and Cross Site Scripting.Application: XOOPS
Affected Version: BackPack version 0.91 and earlier
BmSurvey version 0.84 and earlier
bb_fileup version 1.83 and earlier
News_embed (news_fileup) version 1.44 and earlier
PopnupBlog version 3.19 and earlier
Vendor’s URL: XOOPS Various Bluemoon inc. Modules
Bug Type: Cross Site Scripting
Risk Level: Medium
Solution:
Update to BackPack version 0.93, BmSurvey version 0.85, newbb_fileup version 1.84, News_embed version 1.45, and PopnupBlog version 3.20.
