Web application abuses : Flashlight Free Edition SQL Injection and Directory Traversal Vulnerability

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.801075

Categoría: Web application abuses

Título: Flashlight Free Edition SQL Injection and Directory Traversal Vulnerability

Resumen: Flashlight Free Edition is prone to SQL Injection and Directory Traversal Vulnerability.

Descripción: Summary:
Flashlight Free Edition is prone to SQL Injection and Directory Traversal Vulnerability.

Vulnerability Insight:
Flaws are due to:

- An error in 'read.php' which is not properly sanitizing user supplied input
before being used in SQL queries via 'id' parameter.

- An error in 'admin.php' which is not properly sanitizing user supplied input
before being used via a .. (dot dot) in the action 'parameter' which causes
directory traversal attacks in the application context.

Vulnerability Impact:
Successful exploitation could allow remote attackers to view, add,
modify or delete information in the back end database or include arbitrary files
from local and remote resources to compromise a vulnerable server.

Affected Software/OS:
Flashlight Free version 1.0 on all running platform.

Solution:
No known solution was made available for at least one year since the disclosure
of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2009-4204
http://www.exploit-db.com/exploits/8856
XForce ISS Database: flashlight-read-sql-injection(50906)
https://exchange.xforce.ibmcloud.com/vulnerabilities/50906
Common Vulnerability Exposure (CVE) ID: CVE-2009-4205
XForce ISS Database: flashlight-admin-file-include(50907)
https://exchange.xforce.ibmcloud.com/vulnerabilities/50907

Copyright Copyright (C) 2009 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.801075
Categoría:	Web application abuses
Título:	Flashlight Free Edition SQL Injection and Directory Traversal Vulnerability
Resumen:	Flashlight Free Edition is prone to SQL Injection and Directory Traversal Vulnerability.
Descripción:	Summary: Flashlight Free Edition is prone to SQL Injection and Directory Traversal Vulnerability. Vulnerability Insight: Flaws are due to: - An error in 'read.php' which is not properly sanitizing user supplied input before being used in SQL queries via 'id' parameter. - An error in 'admin.php' which is not properly sanitizing user supplied input before being used via a .. (dot dot) in the action 'parameter' which causes directory traversal attacks in the application context. Vulnerability Impact: Successful exploitation could allow remote attackers to view, add, modify or delete information in the back end database or include arbitrary files from local and remote resources to compromise a vulnerable server. Affected Software/OS: Flashlight Free version 1.0 on all running platform. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-4204 http://www.exploit-db.com/exploits/8856 XForce ISS Database: flashlight-read-sql-injection(50906) https://exchange.xforce.ibmcloud.com/vulnerabilities/50906 Common Vulnerability Exposure (CVE) ID: CVE-2009-4205 XForce ISS Database: flashlight-admin-file-include(50907) https://exchange.xforce.ibmcloud.com/vulnerabilities/50907
Copyright	Copyright (C) 2009 Greenbone AG