Categories

Applications (255)
Blogs (7)
Content Management (167)
Customer Relationship (4)
Discussion Boards (37)
E-Commerce (15)
General Purpose Directories (2)
Image Galleries (21)
Mailing Lists (1)
Tips (3)
Vulnerabilities (366)
Access Bypass (55)
Cross Site Scripting (138)
Denial Of Service (2)
File Inclusion (54)
Information Disclosure (15)
Privilege Escalation (2)
Remote Command Execution (17)
Session Hijacking (2)
SQL Injection (140)

Author Archive for TL Guan

Drupal Mailsave Module MIME Type Script Insertion

Published by TL Guan September 22nd, 2008 in Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: prior to 5.x-3.3 and prior to 6.x-1.3.
Vendor’s URL: Mailsave Module
Bug Type: Script Insertion
Risk Level: Cross Site Scripting

Solution:
Update to version 5.x-3.3 or 6.x-1.3.

Drupal Talk Module Script Insertion and Security Bypass

Published by TL Guan September 22nd, 2008 in Access Bypass, Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: prior to 5.x-1.3 and prior to 6.x-1.5.
Vendor’s URL: Talk Module
Bug Type: Script Insertion and Security Bypass
Risk Level: Cross Site Scripting, Security Bypass

Solution:
Update to version 5.x-1.3 or 6.x-1.5.

Drupal Link To Us Module Script Insertion

Published by TL Guan September 22nd, 2008 in Content Management.

Application: Drupal
Affected Version: version 5.x-1.0.
Vendor’s URL: Link To Us Module
Bug Type: Script Insertion
Risk Level: Critical

Solution:
Update to version 5.x-1.1.

Joomla! Multiple Vulnerabilities

Published by TL Guan September 22nd, 2008 in Content Management.

Application: Joomla!
Affected Version: prior to version 1.5.7.
Vendor’s URL: Joomla!
Bug Type:
Risk Level: Critical

Solution:
Update to version 1.5.7.

DotNetNuke Multiple Vulnerabilities

Published by TL Guan September 22nd, 2008 in Access Bypass and Content Management.

Application: DotNetNuke
Affected Version: versions 4.4.1 - 4.8.4 or versions 2.0 - 4.8.4.
Vendor’s URL: DotNetNuke
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 4.9.0.

WordPress Insecure Password Generation

Published by TL Guan September 22nd, 2008 in Content Management.

Application: WordPress
Affected Version: prior to 2.6.2.
Vendor’s URL: Wordpress
Bug Type:
Risk Level: Critical

Solution:
Update to version 2.6.2.

D-iscussion Board Local File Inclusion

Published by TL Guan September 22nd, 2008 in Discussion Boards and File Inclusion.

Application: D-iscussion Board
Affected Version: version 3.01
Vendor’s URL: D-iscussion Board
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Invision Power Board Multiple Vulnerabilities

Published by TL Guan September 22nd, 2008 in Discussion Boards and SQL Injection.

Application: Invision Power Board
Affected Version: 2.2.x versions and all 2.3.x versions, inclusive of 2.3.5.
Vendor’s URL: Invision Power Board
Bug Type: SQL injection
Risk Level: Critical

Solution:
Apply the vendor’s official patch, which fixes vulnerability #1:
http://forums.invisionpower.com/index.php?showtopic=276512

Do not select “Switch between standard and rich text editor”. Do not import untrusted language files.

Drupal Content Construction Kit Script Insertion

Published by TL Guan September 22nd, 2008 in Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: prior to 5.x-1.8.
Vendor’s URL: Content Construction Kit
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to CCK 5.x-1.9

webEdition CMS SQLi

Published by TL Guan September 22nd, 2008 in Content Management and SQL Injection.

Application: webEdition CMS
Affected Version:
Vendor’s URL: webEdition CMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Xoops PopnupBlog Module XSS

Published by TL Guan September 22nd, 2008 in Content Management and Cross Site Scripting.

Application: Xoops
Affected Version: version 3.20
Vendor’s URL: PopnupBlog Module
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitized.

Drupal Mailhandler Module Unspecified SQLi

Published by TL Guan September 22nd, 2008 in SQL Injection.

Application: Drupal
Affected Version: prior to 5.x-1.4 or prior to 6.x-1.4
Vendor’s URL: Mailhandler Module
Bug Type: SQL injection
Risk Level: Critical

Solution:
Update to version 5.x-1.4 or 6.x-1.4.

vbDrupal Multiple Vulnerabilities

Published by TL Guan August 25th, 2008 in Cross Site Scripting and Discussion Boards.

Application: vbDrupal
Affected Version: all 5.x versions prior to 5.10.0.
Vendor’s URL: vbDrupal
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5.10.0 or later.

Mambo Two XSS Vulnerabilities

Published by TL Guan August 25th, 2008 in Content Management and Cross Site Scripting.

Application: Mambo
Affected Version: version 4.6.5 and reported in version 4.6.2 and other versions.
Vendor’s URL: Mambo
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitised.

Vanilla Multiple Vulnerabilities

Published by TL Guan August 25th, 2008 in Cross Site Scripting and Discussion Boards.

Application: Vanilla
Affected Version: version 1.1.4 and other versions.
Vendor’s URL: Vanilla
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
All vulnerabilities except for the “Value” form field in #2 are fixed in version 1.1.5-rc1.
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted web sites while logged on to the application.

PHP Live Helper Multiple Vulnerabilities

Published by TL Guan August 25th, 2008 in Customer Relationship and SQL Injection.

Application: PHP Live Helper
Affected Version: version 2.0.1 and other versions.
Vendor’s URL: PHP Live Helper
Bug Type: SQL Injection
Risk Level: Critcal

Solution:
Update to version 2.1.0.

vBulletin Private Message Subject Script Insertion

Published by TL Guan August 25th, 2008 in Discussion Boards.

Application: vBulletin
Affected Version: 3.7.2 PL1 and 3.6.10 PL3 and prior versions.
Vendor’s URL: vBulletin
Bug Type: Script Insertion
Risk Level: Medium

Solution:
Update to version 3.7.2 PL2 or 3.6.10 PL4.

TinyCMS “config[template]” Local File Inclusion

Published by TL Guan August 25th, 2008 in Content Management and File Inclusion.

Application: TinyCMS
Affected Version: version 1.1.2 and other versions.
Vendor’s URL: TinyCMS
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Kayako SupportSuite Multiple Vulnerabilities

Published by TL Guan August 25th, 2008 in Cross Site Scripting, Customer Relationship and SQL Injection.

Application: Kayako
Affected Version: version 3.20.02 and prior versions
Vendor’s URL: SupportSuite
Bug Type: SQL Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Fixed in version 3.30.00 RC3.

Filter malicious characters and character sequences in a web proxy.

Drupal XSRF and Security Bypass

Published by TL Guan August 25th, 2008 in Access Bypass, Content Management and Cross Site Scripting.

Application: Drupal
Affected Version: all 6.x versions prior to 6.4
Vendor’s URL: Drupal
Bug Type: Cross Site Scripting and Security Bypass
Risk Level: Medium

Solution:
Update to version 6.4.

About

Archive for TL Guan.

Longer entries are truncated. Click the headline of an entry to read it in its entirety.

Subscribe

Latest

Archives



Valid XHTML 1.0 Transitional