Network Security News – Thursday, June 30, 2005 Events
Claroline E-Learning exercises_details.php uInfo Variable SQL Injection
Claroline E-Learning contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the exercises_details.php script not properly sanitizing user-supplied input to the uInfo variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/17568
e107 theme.php Direct Request Path Disclosure
e107 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a request directly to the theme.php script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.. Read more at osvdb.org/17571
e107 header_default.php Direct Request Path Disclosure
e107 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a request directly to the header_default.php script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.. Read more at osvdb.org/17617
e107 footer_default.php Direct Request Path Disclosure
e107 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a request directly to the footer_default.php script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.. Read more at osvdb.org/17616