Web application abuses : Status2K Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.804736

Categoría: Web application abuses

Título: Status2K Multiple Vulnerabilities

Resumen: Status2K is prone to multiple vulnerabilities.

Descripción: Summary:
Status2K is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to input sanitization error,

- 'Username' parameter the login.php script.

- 'log' GET parameter to the /s2kdir/admin/options/logs.php script.

- 'Location' parameter to the addlog.php script.

- 'multies' parameter to the /s2k/includes/functions.php script.

- 'templates' parameter to the /admin/options/editpl.php script.

- Failing to remove the /install/ installation directory after the program
has been installed.

- Failed to block phpinfo action on the index.php page.

Vulnerability Impact:
Successful exploitation will allow attacker to execute arbitrary HTML and
script code, manipulate SQL queries in the backend database, and disclose
certain sensitive information.

Affected Software/OS:
Status2K

Solution:
No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-5088
BugTraq ID: 69012
http://www.securityfocus.com/bid/69012
http://packetstormsecurity.com/files/127719/Status2k-XSS-SQL-Injection-Command-Execution.html
Common Vulnerability Exposure (CVE) ID: CVE-2014-5089
Common Vulnerability Exposure (CVE) ID: CVE-2014-5090
Common Vulnerability Exposure (CVE) ID: CVE-2014-5091
http://www.exploit-db.com/exploits/34239
https://exchange.xforce.ibmcloud.com/vulnerabilities/95111
https://www.securityfocus.com/bid/69008
Common Vulnerability Exposure (CVE) ID: CVE-2014-5092
https://exchange.xforce.ibmcloud.com/vulnerabilities/95112
Common Vulnerability Exposure (CVE) ID: CVE-2014-5093
https://exchange.xforce.ibmcloud.com/vulnerabilities/95113
Common Vulnerability Exposure (CVE) ID: CVE-2014-5094
XForce ISS Database: status2k-cve20145094-info-disc(95114)
https://exchange.xforce.ibmcloud.com/vulnerabilities/95114

Copyright Copyright (C) 2014 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.804736
Categoría:	Web application abuses
Título:	Status2K Multiple Vulnerabilities
Resumen:	Status2K is prone to multiple vulnerabilities.
Descripción:	Summary: Status2K is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to input sanitization error, - 'Username' parameter the login.php script. - 'log' GET parameter to the /s2kdir/admin/options/logs.php script. - 'Location' parameter to the addlog.php script. - 'multies' parameter to the /s2k/includes/functions.php script. - 'templates' parameter to the /admin/options/editpl.php script. - Failing to remove the /install/ installation directory after the program has been installed. - Failed to block phpinfo action on the index.php page. Vulnerability Impact: Successful exploitation will allow attacker to execute arbitrary HTML and script code, manipulate SQL queries in the backend database, and disclose certain sensitive information. Affected Software/OS: Status2K Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-5088 BugTraq ID: 69012 http://www.securityfocus.com/bid/69012 http://packetstormsecurity.com/files/127719/Status2k-XSS-SQL-Injection-Command-Execution.html Common Vulnerability Exposure (CVE) ID: CVE-2014-5089 Common Vulnerability Exposure (CVE) ID: CVE-2014-5090 Common Vulnerability Exposure (CVE) ID: CVE-2014-5091 http://www.exploit-db.com/exploits/34239 https://exchange.xforce.ibmcloud.com/vulnerabilities/95111 https://www.securityfocus.com/bid/69008 Common Vulnerability Exposure (CVE) ID: CVE-2014-5092 https://exchange.xforce.ibmcloud.com/vulnerabilities/95112 Common Vulnerability Exposure (CVE) ID: CVE-2014-5093 https://exchange.xforce.ibmcloud.com/vulnerabilities/95113 Common Vulnerability Exposure (CVE) ID: CVE-2014-5094 XForce ISS Database: status2k-cve20145094-info-disc(95114) https://exchange.xforce.ibmcloud.com/vulnerabilities/95114
Copyright	Copyright (C) 2014 Greenbone AG