Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.800682
Category:Web application abuses
Title:2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
Summary:This host is running 2532-Gigs and is prone to Directory Traversal and; SQL Injection Vulnerabilities.
Description:Summary:
This host is running 2532-Gigs and is prone to Directory Traversal and
SQL Injection Vulnerabilities.

Vulnerability Insight:
- Vulnerability exists in activateuser.php, manage_venues.php,
mini_calendar.php, deleteuser.php, settings.php, and manage_gigs.php files when
input passed to the 'language' parameter is not properly verified before being
used to include files via a .. (dot dot).

- Input passed to the 'username' and 'password' parameters in checkuser.php
is not properly sanitised before being used in SQL queries.

- Error in upload_flyer.php which can be exploited by uploading a file with an
executable extension, then accessing it via a direct request to the file in flyers/.

Vulnerability Impact:
Successful exploitation will allow attacker to cause directory
traversal or SQL injection attacks, and can execute arbitrary code when
register_globals is enabled and magic_quotes_gpc is disabled.

Affected Software/OS:
2532-Gigs version 1.2.2 and prior.

Solution:
No known solution was made available for at least one year since the disclosure
of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: BugTraq ID: 32911
BugTraq ID: 32913
Common Vulnerability Exposure (CVE) ID: CVE-2008-6901
http://www.securityfocus.com/bid/32911
https://www.exploit-db.com/exploits/7510
http://secunia.com/advisories/26585
XForce ISS Database: 2532gigs-language-file-include(47465)
https://exchange.xforce.ibmcloud.com/vulnerabilities/47465
Common Vulnerability Exposure (CVE) ID: CVE-2008-6902
XForce ISS Database: 2532gigs-uploadflyer-file-upload(47466)
https://exchange.xforce.ibmcloud.com/vulnerabilities/47466
Common Vulnerability Exposure (CVE) ID: CVE-2008-6907
http://www.securityfocus.com/bid/32913
https://www.exploit-db.com/exploits/7511
XForce ISS Database: 2532gigs-checkuser-sql-injection(47491)
https://exchange.xforce.ibmcloud.com/vulnerabilities/47491
CopyrightCopyright (C) 2009 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.