|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 1569 CVE : CVE-2006-4757 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : Omid Published : 18.09.2006
Advisory Text : Hi, There are several sql injections in e107 0.7.5 admin section : I) The "linkopentype", "linkrender" and "link_class" parameters are passed to "db_Insert()" function without checking : File /e107_admin/links.php, Line 496 : >> $sql->db_Insert("links", "0, '$link_name', '$link_url', '$link_description', '$link_button', ".$_POST['linkrender'].", ".($link_t+1).", ".$parent_id.", ".$_POST['linkopentype'].", ".$_POST['link_class']); II) The "linkopentype", "linkrender", "link_class" and "link_id" parameters are passed to "db_Update()" and "db_Select()" functions without checking : File /e107_admin/links.php, Line 480 : >> $sql->db_Update("links", "link_parent='$parent_id', link_name='$link_name', link_url='$link_url', link_description='$link_description', link_button= '$link_button', link_category='".$_POST['linkrender']."', link_open='".$_POST['linkopentype']."', link_class='".$_POST['link_class']."' WHERE link_id='$id'"); File /e107_admin/links.php, Line 482 : >> if($sql->db_Select("links", "*", "link_parent='{$id}'")) POC : ----- Go to "Admin" -> "Site Links" -> "Edit" section (/e107_admin/links.php?create.edit.1), and change the values of "linkopentype", "linkrender", "link_class" and "link_id" inputs. III) The "searchquery" parameter in file /e107_admin/users.php, line 448 is not checked against sql injection : >> $_POST['searchquery'] = trim($_POST['searchquery']); Which make the next query vulnerable . POC : ----- Go to users admin section (/e107_admin/users.php), and search for "1' SQL" . IV) The "download_category_class" parameter is not checked properly before using in the insert query : File /e107_admin/download.php, Line 1320 : >> admin_update($sql->db_Insert("download_category", "0, '$download_category_name', '$download_category_description', '$download_category_icon', '".intval($_POST['download_category_parent'])."', '".$_POST['download_category_class']."', 0 "), 'insert', DOWLAN_47); These are in administration section, so they dont seem to be critical. - Omid Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Microsoft VISTA TCP/IP stack buffer overflow
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory. |
||
| Apache |  |
|
» Apache Tomcat <= |
||
| PHP | |
|
- 2008-11-27| Copyright © SecurityReason. All Rights Reserved. |