Web application abuses : iScripts AutoHoster <= 2.4 Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.804165

Categoría: Web application abuses

Título: iScripts AutoHoster <= 2.4 Multiple Vulnerabilities

Resumen: iScripts AutoHoster is prone to multiple vulnerabilities.

Descripción: Summary:
iScripts AutoHoster is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple errors are due to:

- Improper validation of user-supplied input to the 'checktransferstatus.php',
'additionalsettings.php', 'payinvoiceothers.php' and 'checktransferstatusbck.php' scripts through
unspecified parameters.

- Input passed via the 'tmpid' parameter to the 'showtemplateimage.php' script, the 'fname'
parameter to the 'downloadfile.php' script and the 'id' parameter to the 'csvdownload.php' script
is not sanitised for requests using directory traversal attack (e.g., ../).

- Improper validation of user-supplied input to the 'tldHoldList.php' script via the 'fa'
parameter.

Vulnerability Impact:
Successful exploitation will allow attackers to read arbitrary
files on the target system, obtain some sensitive information or execute arbitrary script code on
the vulnerable server, perform SQL injection and compromise the application.

Affected Software/OS:
iScripts AutoHoster version 2.4 and probably prior.

Solution:
No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
options are to upgrade to a newer release, disable respective features, remove the product or
replace the product by another one.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2013-7189
http://seclists.org/fulldisclosure/2013/Dec/121
http://osvdb.org/101049
http://osvdb.org/101050
http://osvdb.org/101051
http://osvdb.org/101053
XForce ISS Database: iscripts-autohoster-multiple-sql-injection(89816)
https://exchange.xforce.ibmcloud.com/vulnerabilities/89816
Common Vulnerability Exposure (CVE) ID: CVE-2013-7190
XForce ISS Database: autohoster-mainsmtp-directory-traversal(89818)
https://exchange.xforce.ibmcloud.com/vulnerabilities/89818

Copyright Copyright (C) 2013 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.804165
Categoría:	Web application abuses
Título:	iScripts AutoHoster <= 2.4 Multiple Vulnerabilities
Resumen:	iScripts AutoHoster is prone to multiple vulnerabilities.
Descripción:	Summary: iScripts AutoHoster is prone to multiple vulnerabilities. Vulnerability Insight: Multiple errors are due to: - Improper validation of user-supplied input to the 'checktransferstatus.php', 'additionalsettings.php', 'payinvoiceothers.php' and 'checktransferstatusbck.php' scripts through unspecified parameters. - Input passed via the 'tmpid' parameter to the 'showtemplateimage.php' script, the 'fname' parameter to the 'downloadfile.php' script and the 'id' parameter to the 'csvdownload.php' script is not sanitised for requests using directory traversal attack (e.g., ../). - Improper validation of user-supplied input to the 'tldHoldList.php' script via the 'fa' parameter. Vulnerability Impact: Successful exploitation will allow attackers to read arbitrary files on the target system, obtain some sensitive information or execute arbitrary script code on the vulnerable server, perform SQL injection and compromise the application. Affected Software/OS: iScripts AutoHoster version 2.4 and probably prior. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2013-7189 http://seclists.org/fulldisclosure/2013/Dec/121 http://osvdb.org/101049 http://osvdb.org/101050 http://osvdb.org/101051 http://osvdb.org/101053 XForce ISS Database: iscripts-autohoster-multiple-sql-injection(89816) https://exchange.xforce.ibmcloud.com/vulnerabilities/89816 Common Vulnerability Exposure (CVE) ID: CVE-2013-7190 XForce ISS Database: autohoster-mainsmtp-directory-traversal(89818) https://exchange.xforce.ibmcloud.com/vulnerabilities/89818
Copyright	Copyright (C) 2013 Greenbone AG