Next Page >>
Local File Include
Application: 1024 CMS
Versions Affected: 1.4.3, 1.4.4 RFC
Vendor URL: http://www.1024cms.com/
Bug: Multiple Remote/Local File Include
Exploits: YES
Reported: 18.06.2008
Second report: 27.06.2008
Vendor Response: NONE
Solution: NONE
Description
***********
Freeway eCommerce system has multiple security vulnerabilities:
1. Multiple Remote/Local File Include
2. Linked XSS vulnerability
Details
*******
Application: ezContents CMS
Versions Affected: 2.0.3
Application URL: http://www.ezcontents.org/
Vendor URL: http://www.visualshapers.com/
Bug: Multiple Local File Include
Exploits: YES
Reported: 05.08.2008
Second report: 18.08.2008
Vendor Response: NONE
Solution: NONE
Application: AXIS 70U Network Document Server (Web Interface)
Versions Affected: 3.0
Vendor URL: http://www.axis.com/
Bug: Local File Include and Privilege Escalation, Multiple Linked XSS
Exploits: YES
Reported: 20.10.2008
Vendor response: 20.10.2008
Last response: 02.01.2009
Vendor Case ID: 143027
Application: Azucar CMS
Versions Affected: 1.3
Vendor URL: http://azucarcms.sourceforge.net/en_home.htm
Bug: Multiple Local File Include
Exploits: YES
Reported: 30.01.2008
Vendor Response: NONE
Date of Public Advisory: 05.02.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Application: Pluck CMS
Versions Affected: 4.5.3
Vendor URL: http://www.pluck-cms.org/
Bug: Local File Include
Exploits: YES
Reported: 25.08.2008
Vendor Response: 30.08.2008
Solution: YES
Date of Public Advisory: 18.11.2008
I conducted the project Day of bugs in WordPress
(http://websecurity.com.ua/1685/) at 30.12.2007 and already long time ago
planned to conduct new project, but only now found the time. In that project
I disclosed 81 vulnerabilities - these are Arbitrary file edit
(http://websecurity.com.ua/1686/), Local File Include, Directory Traversal
and Full path disclosure (http://websecurity.com.ua/1687/) vulnerabilities.
Among them there are 49 Full path disclosure, 1 Arbitrary file edit and 31
Local File Include and Directory Traversal (CVE-2008-0195, CVE-2008-0196).
If I'd decided to make not "day of bugs" but "month of bugs" (with
publishing one by one hole), then these vulnerabilities were enough for
differences as to how these affect LedgerSMB are noted below.
These vulnerabilities include:
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
* SQL Injection (similar to CVE-2009-3582)
* Local File Include (CVE-2009-3583)
* Default Administrator Password Weakness (CVE-2009-4402)
* No secure flag on cookie when (CVE-2009-3584)
All five of have been patched, either in stable versions or in
hotfixes. Please read below for more information.
Application: PowerBook
Versions Affected: 1.21
Vendor URL: http://www.powerscripts.org/
Bug: Local File Include
Exploits: YES
Reported: 01.02.2008
Vendor Response: none
Solution: none
Date of Public Advisory: ..2008
Description
***********
Quate CMS system has multiple security vulnerabilities:
1. Multiple Remote/Local File Include
2. Multiple Linked XSS vulnerabilities
3. Directory traversal
Details
Application: BolinOS
Versions Affected: 4.6.1
Vendor URL: http://www.bolinos.com
Bugs: Local File Include,Multiple XSS, System information disclosure
Exploits: YES
Reported: 13.03.2008
Second report: 18.03.2008
Vendor response: none
Solution: none
Application: Open Azimyt CMS
Versions Affected: 0.22 minimal, 0.21 stable
Vendor URL: http://azimyt.net/
Bug: Local File Include
Exploits: YES
Reported: 07.06.2008
Vendor Response: 08.06.2008
Solution: YES
Date of Public Advisory: 16.06.2008
Application: PowerNews (Newsscript)
Versions Affected: 2.5.6
Vendor URL: http://www.powerscripts.org/
Bug: Multiple Local File Include
Exploits: YES
Reported: 01.02.2008
Vendor Response: none
Solution: none
Date of Public Advisory: 08.02.2008
- Severity: 6.8/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
Simple PHP Blog <= 0.5.1 Local File Include vulnerability
II. BACKGROUND
-------------------------
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
Application: XOOPS
Versions Affected: XOOPS 2.0.18
Vendor URL: http://www.xoops.org/
Bugs: Local File Include,URL Redirecting phishing
Exploits: YES
Reported: 28.01.2008
Vendor response: 28.01.2008
Date of Public Advisory: 04.02.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Application: Tuned Studios Templates
Versions Affected: All
Vendor URL: http:/www.tunedstudios.com
Bug: Local File Include
Exploit: YES
Reported: 09.01.2008
Date of Public Advisory: 09.01.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru)
Application: PowerPHPBoard
Versions Affected: 1.00b
Vendor URL: http://www.powerscripts.org/
Bug: Multiple Local File Include
Exploits: YES
Reported: 01.02.2008
Vendor Response: none
Solution: none
Date of Public Advisory: 24.03.2008
Application: aria-0.99-6 (Web based ERP)
Versions Affected: aria-0.99-6
Vendor URL: http://www.tucows.net/
Bug: Local File Include
Exploits: YES
Reported: 09.01.2008
Vendor Response: None
Date of Public Advisory: 15.01.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Application: Pluck CMS
Versions Affected: 4.5.2
Vendor URL: http://www.pluck-cms.org/
Bug: Multiple Local File Include
Exploits: YES
Reported: 28.07.2008
Vendor Response: 03.08.2008
Solution: YES
Date of Public Advisory: 25.08.2008
Application: OneCMS
Versions Affected: 2.5
Vendor URL: http://www.insanevisions.com/
Bug: Local File Include
Exploits: YES
Reported: 26.03.2008
Vendor Response: NONE
Solution: NONE
Date of Public Advisory: 23.05.2008
Application: VHD Web Pack 2.0
Versions Affected: VHD Web Pack 2.0
Vendor URL: http://www.divideconcept.net/index.php?page=vhdwebpack/index.php
Bugs: Local File Include
Exploits: YES
Reported: 28.01.2008
Vendor response: NONE
Date of Public Advisory: 04.02.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Product: OpenBiblio
Version: Version 0.5.2 Prerelease 4 and prior is affected
Url: http://obiblio.sourceforge.net/
Affected by: Full path disclosure, local file include, phpinfo
disclosure, multiple Cross Site Scripting, SQL injection
Website: http://www.sql-ledger.org
Vulnerabilities:
- no Cross-Site-Request-Forgery (XSRF) protection
- persistent cross site scripting
- SQL injections
- local file include
- secure cookie flag not set
Class: remote
Status: unpatched
Severity: moderate
Releases known to be affected: 2.8.24
Application: Pixelpost photoblog
Versions Affected: 1.7.1
Vendor URL: http://www.pixelpost.org/
Bug: Local File Include
Exploits: YES
Reported: 22.07.2008
Vendor response: 23.07.2008
Solution: YES
Date of Public Advisory: 28.07.2008
Application: XOOPS
Versions Affected: 2.3.1
Vendor URL: http://www.xoops.org/
Bug: Multiple Local File Include
Exploits: YES
Reported: 10.11.2008
Vendor response: 10.11.2008
Solution: YES
Date of Public Advisory: 08.12.2008
=============================================================================================================
1024cms Admin Control Panel v1.1.0 Beta (Complete-Modules Package) - Local File Include Vulnerability
=============================================================================================================
Software: 1024cms Admin Control Panel v1.1.0 Beta (complete-modules package)
Vendor: http://1024cms.org/
Vuln Type: Local File Include
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
Application: Minishowcase Image Gallery
Versions Affected: v09b136
Vendor URL: http://minishowcase.frwrd.net
Bug: Local File Include
Exploits: YES
Reported: 14.07.2008
Second report: 22.07.2008
Vendor response: NONE
Solution: NONE
Application: Interact E-Learning System
Versions Affected: 2.4.1
Vendor URL: http://sourceforge.net/projects/cce-interact
Bug: Local File Include
Exploits: YES
Reported: 03.07.2008
Vendor response: 04.07.2008
Solution: YES
Date of Public Advisory: 21.07.2008
Application: Dokeos E-Learning System
Versions Affected: 1.8.5
Vendor URL: http://dokeos.com/
Bug: Local File Include
Exploits: YES
Reported: 01.07.2008
Vendor response: 05.07.2008
Solution: YES
Date of Public Advisory: 17.07.2008
Version Affected:2.02.1
Phpay has been affected by multiple local file include flaws, as a result this patch was written:
$config = ereg_replace(":","", $config);
$config = trim(ereg_replace("../","", $config));
Next Page>>
|
