Archive

Archive for the ‘Access Bypass’ Category

WordPress Woopra Analytics Plugin Arbitrary File Creation

December 24th, 2009
Comments Off

Application: WordPress
Affected Version:
Vendor’s URL: Woopra Analytics Plugin
Bug Type: System Access
Risk Level: Critical

Solution:
Update to version 1.4.3.2.

Remove ofc_upload_image.php file from the Open Flash Chart directory.

Access Bypass, Content Management

XOOPS Profile Activation Security Bypass

December 1st, 2009
Comments Off

Application: XOOPS
Affected Version: prior to 2.4.1
Vendor’s URL: XOOPS Profile Activation
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 2.4.1.

Access Bypass, Content Management

WordPress File Upload and Script Insertion

December 1st, 2009
Comments Off

Application: WordPress
Affected Version: version 2.8.5
Vendor’s URL: WordPress
Bug Type: File Upload and Script Insertion
Risk Level: Medium

Solution:
Update to version 2.8.6.

Access Bypass, Content Management, Cross Site Scripting

Joomla Jumi Component Backdoor Security Issue

December 1st, 2009
Comments Off

Application: Joomla
Affected Version:
Vendor’s URL: Jumi Component
Bug Type: Access Bypass
Risk Level: Critical

Solution:
The vendor has released clean installation files.

Access Bypass, Content Management

Joomla iCRM Basic Component Multiple Vulnerabilities

October 23rd, 2009
Comments Off

Application: Joomla
Affected Version: version 1.4.2.31 and other versions.
Vendor’s URL: iCRM Basic Component
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Access Bypass, Content Management

Drupal Go - url redirects Module Multiple Vulnerabilities

September 23rd, 2009
Comments Off

Application: Drupal Go
Affected Version:
Vendor’s URL: url redirects Module
Bug Type: SQL Injection, Cross Site Scripting, Security Bypass
Risk Level: Critical

Solution:
Update to version 5.x-1.4 or 6.x-1.1.

Access Bypass, Content Management, Cross Site Scripting, SQL Injection

Zen Cart Administration Security Bypass

June 27th, 2009
Comments Off

Application: Zen Cart
Affected Version: version 1.3.8a (full fileset 12112007) and other versions.
Vendor’s URL: Zen Cart
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Apply patch.
http://www.zen-cart.com/forum/attachment.php?attachmentid=5943&d=1245789282

Access Bypass, E-Commerce

Movable Type Security Bypass and XSS

June 27th, 2009
Comments Off

Application: Movable Type
Affected Version: versions prior to 4.26.
Vendor’s URL: Movable Type
Bug Type: Security Bypass and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 4.26 or later.

Access Bypass, Blogs, Cross Site Scripting

Drupal Views Module Multiple Vulnerabilities

June 27th, 2009
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-2.6.
Vendor’s URL: Drupal Views Module
Bug Type: Cross Site Scripting and Security Bypass
Risk Level: Critical

Solution:
Update to version 6.x-2.6.
http://drupal.org/node/488082

Access Bypass, Content Management, Cross Site Scripting

Drupal Services Module Key-based Access Security Bypass

June 27th, 2009
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-0.14.
Vendor’s URL: Drupal Services Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 6.x-0.14.
http://drupal.org/node/487784

Access Bypass, Content Management

osCommerce Finnish Bank Payment Module Security Bypass

June 27th, 2009
Comments Off

Application: osCommerce Finnish Bank Payment Module
Affected Version:
Vendor’s URL: osCommerce Finnish Bank Payment Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Apply vendor patch

Access Bypass, E-Commerce

osCommerce Luottokunta Module Security Bypass

June 27th, 2009
Comments Off

Application: osCommerce Luottokunta Module
Affected Version: versions prior to 1.3.
Vendor’s URL: osCommerce Luottokunta Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 1.3.
http://addons.oscommerce.com/info/3698

Access Bypass, E-Commerce

Drupal Email Verification Module Script Insertion and Security Bypass

May 25th, 2009
Comments Off

Application: Drupal
Affected Version: versions prior to 5.x-2.1
Vendor’s URL: Email Verification Module
Bug Type: Security Bypass and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 5.x-2.1 or 6.x-1.2.

Access Bypass, Content Management, Cross Site Scripting

Coppermine Photo Gallery Multiple Vulnerabilities

May 22nd, 2009
Comments Off

Application: Coppermine Photo Gallery
Affected Version: version 1.4.22 and other versions.
Vendor’s URL: Coppermine Photo Gallery
Bug Type: SQL Injection and System access
Risk Level: Critical

Solution:
Set “magic_quotes_gpc” to “On” and “register_globals” to “Off”.

Access Bypass, Image Galleries, SQL Injection

Drupal Node Access User Reference Module Security Bypass

May 22nd, 2009
Comments Off

Application: Drupal
Affected Version: prior to version 5.x-2.0-beta4 and 6.x prior to version 6.x-2.0-beta6.
Vendor’s URL: Drupal
Bug Type: Security Bypass
Risk Level: Medium

Solution:
The security issue is fixed in version 5.x-2.0-beta4 and 6.x-2.0-beta6.
http://drupal.org/node/448390
http://drupal.org/node/448392

Access Bypass, Content Management

Drupal Forward Module Security Bypass

March 27th, 2009
Comments Off

Application: Drupal
Affected Version: prior to 5.x-1.19
Vendor’s URL: Drupal Forward Module
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 5.x-1.19.

Access Bypass, Content Management

Coppermine Photo Gallery Variable Overwrite Vulnerability

February 20th, 2009
Comments Off

Application: Coppermine
Affected Version: version 1.4.19 and other versions.
Vendor’s URL: Photo Gallery
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 1.4.20.

Access Bypass, Image Galleries

Drupal Internationalization (i18n) Translation Module Security Bypass

January 19th, 2009
Comments Off

Application: Drupal
Affected Version: versions prior to 5.x-2.5.
Vendor’s URL: Internationalization (i18n) Translation Module
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 5.x-2.5.

Access Bypass, Content Management

Drupal Content Translation Module Security Bypass

January 19th, 2009
Comments Off

Application: Drupal
Affected Version: Drupal 6.x
Vendor’s URL: Content Translation Module
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 6.9.

Access Bypass, Content Management

XOOPS “mydirname” PHP Code Injection

January 19th, 2009
Comments Off

Application: XOOPS
Affected Version: version 2.3.2b and other versions.
Vendor’s URL: XOOPS
Bug Type: Code Injection
Risk Level: Critical

Solution:
Restrict web access to the affected files (e.g. via “.htaccess”).

Access Bypass, Content Management