|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1014 CVE : CVE-2006-2751 CVE : CVE-2006-2750 CVE : CVE-2006-2749 CVE : CVE-2006-2748 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : enji seclab tuwien ac at Published : 03.06.2006
Advisory Content : =========================================================== Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities =========================================================== Technical University of Vienna Security Advisory TUVSA-0605-001, May 30, 2006 =========================================================== Affected applications ---------------------- Open Searchable Image Catalogue (http://cosp.wordpress.com/tag/osic, http://sourceforge.net/projects/osic-win) Versions 0.7 and prior. Description ------------ There are a number of cross site scripting (XSS) vulnerabilities that are caused by the second echo statement in function do_mysql_query (core.php, line 544). If a database query fails for some reason, the query is reflected back to the user. Here are a few points where this situation can be exploited (if register_globals is active and if the current user is logged in as admin): adminfunctions.php, line 531 http://localhost/osic07/admin.php?action=manageusers&username=neweviluse r&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</script> adminfunctions.php, line 561 http://localhost/osic07/admin.php?action=manageusers&id=777&username=new eviluser&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</ script> editcatalogue.php, line 523 http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catal ogue_id='<script>alert('hi')</script>&uploaded=true&submit=true&AddRemai ning=true [there has to be at least one file with a valid extension in the uploads directory] editcatalogue.php, line 581 http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catal ogue_id=777&uploaded=true&submit=true&catalogue_id='<script>alert('hi')< /script> The above vulnerabilities are also SQL Injection vulnerabilities. Some analogous cases in search.php: search.php, line 120: The $query variable can contain malicious user input due to the assignments on lines 90-112. search.php, line 152: $cf_query is tainted by $cfid, which is tainted by $tempCustomFieldID, which is tainted by $HTTP_POST_VARS (line 138). search.php, lines 243-250: There are calls to getValueFromID with $item_list as parameter, which can be controlled by an attacker. Solution --------- The authors have responded to our message quickly and have released version 0.7.0.1, which fixes the above issues. Timeline: March 30, 2006: - Vulnerabilities reported to Chris Goerner. - Response and release of fixed version. - Advisory submission. References ----------- http://www.seclab.tuwien.ac.at/advisories/TUVSA-0605-001.txt Nenad Jovanovic Secure Systems Lab Technical University of Vienna www.seclab.tuwien.ac.at  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |