Next Page >>
application framework
www.sektioneins.de
-= Security Advisory =-
Advisory: Horde Application Framework Horde_Form_Type_image
Arbitrary File Overwrite Vulnerability
Release Date: 2009/09/18
Last Modified: 2009/09/18
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Horde Application Framework: Multiple vulnerabilities
Date: May 05, 2008
Bugs: #212635, #213493
ID: 200805-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hello Bugtraq!
I want to warn you about security vulnerabilities in Dataface Web
Application Framework.
-----------------------------
Advisory: Vulnerabilities in Dataface Web Application Framework
-----------------------------
URL: http://websecurity.com.ua/4276/
-----------------------------
-------------------------
Horde 3.3.5 "PHP_SELF" Cross-Site Scripting vulnerability
II. BACKGROUND
-------------------------
The Horde Application Framework is a modular, general-purpose web
application framework written in PHP. It provides an extensive array
of classes that are targeted at the common problems and tasks involved
in developing modern web applications.
III. DESCRIPTION
Vulnerability ID: HTB22414
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_modx_cms.html
Product: MODx CMS and Application Framework
Vendor: MODx
Vulnerable Version: 1.0.3 and Probably Prior Versions
Vendor Notification: 28 May 2010
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
Vulnerability ID: HTB22413
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_modx_cms_and_application_framework_1.html
Product: MODx CMS and Application Framework
Vendor: MODx
Vulnerable Version: 1.0.3 and Probably Prior Versions
Vendor Notification: 28 May 2010
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
Problem type : remote
Debian-specific: no
CVE ID : CVE-2010-4802 CVE-2010-4803 CVE-2011-1841
Several vulnerabilities have been discovered Mojolicious, a Perl Web
Application Framework. The link_to helper was affected by cross-site
scripting and implementation errors in the MD5 HMAC and CGI environment
handling have been corrected.
The oldstable distribution (lenny) doesn't include libmojolicious-perl.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in the Horde Application Framework can allow
for arbitrary files to be overwritten and cross-site scripting attacks.
Background
==========
Vulnerability ID: HTB22412
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_modx_cms_and_application_framework.html
Product: MODx CMS and Application Framework
Vendor: MODx
Vulnerable Version: 1.0.3 and Probably Prior Versions
Vendor Notification: 28 May 2010
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
Vulnerability ID: HTB23039
Reference: https://www.htbridge.ch/advisory/xss_in_zikula.html
Product: Zikula Application Framework
Vendor: Zikula Software Foundation ( http://zikula.org/ )
Vulnerable Version: 1.3.0, build #3168 and probably prior
Tested Version: 1.3.0, build #3168
Vendor Notification: 17 August 2011
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium
####################
- Description:
####################
quote from vendor: "MODx is an open source PHP Application Framework
that helps you take control of your online content.
It empowers developers and advanced users to give as much control as
desired to whomever they desire for day-to-day website content
maintenance chores."
CVE-2009-1725 CVE-2009-2700
Debian Bugs : 532718 534946 538347 545793
Several vulnerabilities have been discovered in qt4-x11, a cross-platform
C++ application framework.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2009-0945
Vulnerability ID: HTB22351
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_zikula_application_framework.html
Product: Zikula Application Framework
Vendor: Zikula Software Foundation
Vulnerable Version: 1.2.2 and Probably Prior Versions
Vendor Notification: 19 April 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Fixed by Vendor
Risk level: Low
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-6018
Ulf Harnhammer discovered that the HTML filter of the Horde web
application framework performed insufficient input sanitising, which
may lead to the deletion of emails if a user is tricked into viewing
a malformed email inside the Imp client.
This update also provides backported bugfixes to the cross-site
scripting filter and the user management API from the latest Horde
###################################################################################
####################
1. Description:
####################
DotNetNuke is an open source web application framework ideal for creating, deploying and managing interactive web, intranet and extranet sites.
####################
2. Vulnerability:
####################
XSS in "Default.aspx", by using "/" after the ".aspx" file. We must use another ".aspx" string, before "?" or at end of the URL.
or Cross-Site Scripting.
Background
==========
Horde is a web application framework written in PHP. Horde IMP, the
"Internet Messaging Program", is a Webmail module and Horde Passwd is a
password changing module for Horde.
Affected packages
=================
2. PRODUCT DESCRIPTION
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
2. PRODUCT DESCRIPTION
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
Debian-specific: no
CVE ID : CVE-2011-1589
Debian Bug : 622952
Viacheslav Tykhanovskyi discovered a directory traversal vulnerability in
Mojolicious, a Perl Web Application Framework.
The oldstable distribution (lenny) doesn't contain libmojolicious-perl.
For the stable distribution (squeeze), this problem has been fixed in
version 0.999926-1+squeeze1.
Vulnerability ID: HTB22348
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework.html
Product: Zikula Application Framework
Vendor: Zikula Software Foundation
Vulnerable Version: 1.2.2 and Probably Prior Versions
Vendor Notification: 13 April 2010
Vulnerability Type: XSS (Сross Site Sсriрting)
Status: Fixed by Vendor
Risk level: Medium
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
2. BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
Problem type : remote
Debian-specific: no
Debian bug : #547318
CVE ID : CVE-2009-3236
Stefan Esser discovered that Horde, a web application framework providing
classes for dealing with preferences, compression, browser detection,
connection tracking, MIME, and more, is insufficiently validating and
escaping user provided input. The Horde_Form_Type_image form element
allows to reuse a temporary filename on reuploads which are stored in a
hidden HTML field and then trusted without prior validation. An attacker
Tests performed on v3.0.195.25
III. BACKGROUND
-------------------------
Google Chrome is a web browser released by Google which uses the WebKit
layout engine and application framework. It is one of the four most popular
browsers in the market today. Google released the entire source code of
Chrome, including its bespoke V8 JavaScript engine as an open source project
entitled Chromium, in 2008. Google Chrome is best known for its fast speed,
simplicity and reliability.
Debian-specific: no
CVE ID : CVE-2009-3086 CVE-2009-4214
Debian Bug : 545063 558685
Two vulnerabilities were discovered in Ruby on Rails, a web
application framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-3086
The cookie store may be vulnerability to a timing attack,
potentially allowing remote attackers to forge message
Vulnerability ID: HTB22349
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework_1.html
Product: Zikula Application Framework
Vendor: Zikula Software Foundation
Vulnerable Version: 1.2.2 and Probably Prior Versions
Vendor Notification: 13 April 2010
Vulnerability Type: XSS (Сross Site Sсriрting)
Status: Fixed by Vendor
Risk level: Medium
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)
Hi,
Horde Application Framework v3.3.8 and lower are subject to a cross site
scripting (XSS) vulnerability.
The icon_browser.php script fails to properly sanitize user supplied
input to the 'subdir' URL parameter before printing it out as part of a
HTML formatted error message.
The following URL can be used as a proof of concept:
Linux version 2.6 for core system services such as security, memory
management, process management, network stack, and driver model. The
kernel also acts as an abstraction layer between the hardware and the
rest of the software stack.
The WebKit application framework is included to facilitate development
of web client application functionality. The framework in turn uses
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
2. BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
Introduction:
=============
OSQA is the Open Source Q&A System. It is free software licensed under the GPL, and you can download the source code
for OSQA from our Subversion server. OSQA is originally based on CNProg, an excellent Chinese Q&A web application written
by Mike Chen and Sailing Cai. OSQA is written in Python and powered by the Django application framework.
Abstract:
=========
The Vulnerability Lab Research Team discovered multiple persistent Input Validation Vulnerabilities on OSQAs CMS v3b.
2. BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
Next Page>>
|
