|
|
Family: CGI abuses --> Category: attack
Xoops < 2.0.12 Multiple Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for multiple vulnerabilities in Xoops < 2.0.12
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains several PHP scripts that are prone to
SQL injection and cross-site scripting attacks.
Description :
The installated version of Xoops on the remote host is affected by
several vulnerabilities :
- A SQL Injection Vulnerability
The bundled XMLRPC server fails to sanitize user-supplied
input to the 'xmlrpc.php' script. A possible hacker can exploit
this flaw to launch SQL injection attacks which may lead to
authentication bypass, disclosure of sensitive information,
attacks against the underlying database, and the like.
- Multiple Cross-Site Scripting Vulnerabilities
A possible hacker can inject arbitrary HTML and script code
through the 'order' and 'cid' parameters of the
'modules/newbb/edit.php' and
'modules/repository/comment_edit.php' scripts respectively,
which could result in disclosure of administrative session
cookies.
See also :
http://www.gulftech.org/?node=research&article_id=00086-06292005
Solution :
Upgrade to Xoops version 2.0.12 or later.
Threat Level:
Medium / CVSS Base Score : 5
(AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
