Categories

Applications (244)
Blogs (7)
Content Management (158)
Customer Relationship (4)
Discussion Boards (35)
E-Commerce (15)
General Purpose Directories (2)
Image Galleries (21)
Mailing Lists (1)
Tips (3)
Vulnerabilities (357)
Access Bypass (53)
Cross Site Scripting (134)
Denial Of Service (2)
File Inclusion (53)
Information Disclosure (15)
Privilege Escalation (2)
Remote Command Execution (17)
Session Hijacking (2)
SQL Injection (137)

Archive for July, 2008

php Help Agent File Inclusion

Published by TL Guan July 17th, 2008 in File Inclusion.

Application: php Help Agent
Affected Version: version 1.1 Full and other versions.
Vendor’s URL: php Help Agent
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Drupal OpenID Module XSS

Published by TL Guan July 17th, 2008 in Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: prior to 5x.-1.2.
Vendor’s URL: Drupal OpenID Module
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5x.-1.2.
http://drupal.org/node/280593

Drupal XSS

Published by TL Guan July 17th, 2008 in Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: version 5.x and 6.x.
Vendor’s URL: Drupal
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to the latest versions or apply patch for version 5.7 or 6.2.

Drupal 5.x:
Update to version 5.8.
http://ftp.drupal.org/files/projects/drupal-5.8.tar.gz

Drupal 6.x
Update to version 6.3.
http://ftp.drupal.org/files/projects/drupal-6.3.tar.gz

Drupal 5.7:
Apply patch.
http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch

Drupal 6.2:
Apply patch.
http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch

vbDrupal SQL Injection and XSS

Published by TL Guan July 17th, 2008 in Content Management, Cross Site Scripting, SQL Injection and Session Hijacking.

Application: vbDrupal
Affected Version:
Vendor’s URL: vbDrupal
Bug Type: SQL Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 5.8.0.

PHP-Nuke 4ndvddb Module SQL Injection

Published by TL Guan July 17th, 2008 in Content Management and SQL Injection.

Application: PHP-Nuke
Affected Version: version 0.91.
Vendor’s URL: PHP-Nuke 4ndvddb Module
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Joomla Brightcode Weblinks Component SQL Injection

Published by TL Guan July 17th, 2008 in Content Management and SQL Injection.

Application: Joomla
Affected Version:
Vendor’s URL: Joomla Brightcode Weblinks Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Joomla Unauthorized Access

Published by TL Guan July 17th, 2008 in Access Bypass and Content Management.

Application: Joomla
Affected Version: prior to 1.5.4.
Vendor’s URL: Joomla
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 1.5.4.
http://joomlacode.org/gf/project/joom…ReleaseBrowse&frs_package_id=3786

vBulletin Two Script Insertion

Published by TL Guan July 17th, 2008 in Cross Site Scripting and Discussion Boards.

Application: vBulletin
Affected Version: version 3.7.2 and 3.6.10 PL2
Vendor’s URL: vBulletin
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 3.7.2 PL1 or 3.6.10 PL3.

Dolphin File Inclusion

Published by TL Guan July 17th, 2008 in File Inclusion.

Application: Dolphin
Affected Version: version 6.1.2 and other versions.
Vendor’s URL: Dolphin
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Moodle KSES HTML Filter Bypass

Published by TL Guan July 17th, 2008 in Access Bypass and Content Management.

Application: Moodle
Affected Version: prior to 1.8.5.
Vendor’s URL: Moodle KSES
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 1.8.5 or upgrade to version 1.9.

The vendor recommends to use the option “Use HTML Purifier” in version 1.9.

Drupal Taxonomy Autotagger SQL Injection and Script Insertion

Published by TL Guan July 17th, 2008 in Content Management, Cross Site Scripting and SQL Injection.

Application: Drupal
Affected Version: prior to 5.x-1.8
Vendor’s URL: Drupal Taxonomy Autotagger
Bug Type: SQL Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 5.x-1.8.
http://drupal.org/node/277684

Drupal Tinytax taxonomy block Script Insertion

Published by TL Guan July 17th, 2008 in Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: prior to 5.x-1.10-1.
Vendor’s URL: Drupal Tinytax taxonomy block
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5.x-1.10-1.
http://drupal.org/node/277682

Drupal Organic groups Information Disclosure and Script Insertion

Published by TL Guan July 17th, 2008 in Content Management and Information Disclosure.

Application: Drupal
Affected Version: prior to 5.x-7.3 and 6.x-1.0-RC1.
Vendor’s URL: Drupal Organic groups
Bug Type: Information Disclosure and Script Insertion
Risk Level: Medium

Solution:
Update to the fixed versions.

5.x-7.3:
http://drupal.org/node/277854

6.x-1.0-RC1:
http://drupal.org/node/277869

emuCMS SQL Injection

Published by TL Guan July 17th, 2008 in Content Management and SQL Injection.

Application: emuCMS
Affected Version: version 0.3 and other versions.
Vendor’s URL: emuCMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.
Restrict access to the “admin/fckeditor/editor/filemanager/upload/php/upload.php” script (e.g. with “.htaccess”).

Joomla EXP Shop Component SQL Injection

Published by TL Guan July 17th, 2008 in Content Management and SQL Injection.

Application: Joomla
Affected Version: version 1.0 and other versions.
Vendor’s URL: Joomla EXP Shop Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

FubarForum Local File Inclusion

Published by TL Guan July 17th, 2008 in Discussion Boards and File Inclusion.

Application: FubarForum
Affected Version: version 1.5 and prior versions.
Vendor’s URL: FubarForum
Bug Type: Local File Inclusion
Risk Level: Critical

Solution:
Update to version 1.6.

CiBlog SQL Injection

Published by TL Guan July 17th, 2008 in Blogs and SQL Injection.

Application: CiBlog
Affected Version: version 3.1 and other versions.
Vendor’s URL: CiBlog
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Joomla nBill Component SQL Injection

Published by TL Guan July 17th, 2008 in Content Management and SQL Injection.

Application: Joomla
Affected Version: version 1.2.0 SP1 and other version.
Vendor’s URL: Joomla nBill Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Apply patch.
http://www.nbill.co.uk/forum-smf/index.php/topic,716.0.html

Drupal Suggested Terms Module Script Insertion

Published by TL Guan July 17th, 2008 in Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: prior to 5.x-1.2
Vendor’s URL: Drupal Suggested Terms Module
Bug Type: Script Insertion
Risk Level: Medium

Solution:
Update to version 5.x-1.2.

OpenCart Script Insertion and XSS

Published by TL Guan July 17th, 2008 in Cross Site Scripting and E-Commerce.

Application: OpenCart
Affected Version: version 0.7.7 and other version.
Vendor’s URL: OpenCart
Bug Type: Script Insertion and Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

About

You are currently browsing the Exabytes Security Portal weblog archives for the month July, 2008.

Longer entries are truncated. Click the headline of an entry to read it in its entirety.

Subscribe

Latest

Archives



Valid XHTML 1.0 Transitional