FreeBSD Local Security Checks : FreeBSD Ports: dtc

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.70265

Categoría: FreeBSD Local Security Checks

Título: FreeBSD Ports: dtc

Resumen: The remote host is missing an update to the system; as announced in the referenced advisory.

Descripción: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory.

Vulnerability Insight:
The following package is affected: dtc

CVE-2011-0434
Multiple SQL injection vulnerabilities in Domain Technologie Control
(DTC) before 0.32.9 allow remote attackers to execute arbitrary SQL
commands via the cid parameter to (1) admin/bw_per_month.php or (2)
client/bw_per_month.php.

CVE-2011-0435
Domain Technologie Control (DTC) before 0.32.9 does not require
authentication for (1) admin/bw_per_month.php and (2)
client/bw_per_month.php, which allows remote attackers to obtain
potentially sensitive bandwidth information via a direct request.

CVE-2011-0436
The register_user function in client/new_account_form.php in Domain
Technologie Control (DTC) before 0.32.9 includes a cleartext password
in an e-mail message, which makes it easier for remote attackers to
obtain sensitive information by sniffing the network.

CVE-2011-0437
shared/inc/sql/ssh.php in the SSH accounts management implementation
in Domain Technologie Control (DTC) before 0.32.9 allows remote
authenticated users to delete arbitrary accounts via the edssh_account
parameter in a deletesshaccount Delete action.

Solution:
Update your system with the appropriate patches or
software upgrades.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2011-0434
Debian Security Information: DSA-2179 (Google Search)
http://www.debian.org/security/2011/dsa-2179
http://www.gplhost.sg/lists/dtcannounce/msg00025.html
http://secunia.com/advisories/43523
http://www.vupen.com/english/advisories/2011/0556
XForce ISS Database: dtc-cid-sql-injection(65895)
https://exchange.xforce.ibmcloud.com/vulnerabilities/65895
Common Vulnerability Exposure (CVE) ID: CVE-2011-0435
XForce ISS Database: dtc-bwpermonth-info-disc(65896)
https://exchange.xforce.ibmcloud.com/vulnerabilities/65896
Common Vulnerability Exposure (CVE) ID: CVE-2011-0436
http://openwall.com/lists/oss-security/2011/02/22/1
XForce ISS Database: dtc-passwords-info-disc(65898)
https://exchange.xforce.ibmcloud.com/vulnerabilities/65898
Common Vulnerability Exposure (CVE) ID: CVE-2011-0437
XForce ISS Database: dtc-ssh-sec-bypass(65897)
https://exchange.xforce.ibmcloud.com/vulnerabilities/65897

Copyright Copyright (C) 2011 E-Soft Inc.

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.70265
Categoría:	FreeBSD Local Security Checks
Título:	FreeBSD Ports: dtc
Resumen:	The remote host is missing an update to the system; as announced in the referenced advisory.
Descripción:	Summary: The remote host is missing an update to the system as announced in the referenced advisory. Vulnerability Insight: The following package is affected: dtc CVE-2011-0434 Multiple SQL injection vulnerabilities in Domain Technologie Control (DTC) before 0.32.9 allow remote attackers to execute arbitrary SQL commands via the cid parameter to (1) admin/bw_per_month.php or (2) client/bw_per_month.php. CVE-2011-0435 Domain Technologie Control (DTC) before 0.32.9 does not require authentication for (1) admin/bw_per_month.php and (2) client/bw_per_month.php, which allows remote attackers to obtain potentially sensitive bandwidth information via a direct request. CVE-2011-0436 The register_user function in client/new_account_form.php in Domain Technologie Control (DTC) before 0.32.9 includes a cleartext password in an e-mail message, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. CVE-2011-0437 shared/inc/sql/ssh.php in the SSH accounts management implementation in Domain Technologie Control (DTC) before 0.32.9 allows remote authenticated users to delete arbitrary accounts via the edssh_account parameter in a deletesshaccount Delete action. Solution: Update your system with the appropriate patches or software upgrades. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2011-0434 Debian Security Information: DSA-2179 (Google Search) http://www.debian.org/security/2011/dsa-2179 http://www.gplhost.sg/lists/dtcannounce/msg00025.html http://secunia.com/advisories/43523 http://www.vupen.com/english/advisories/2011/0556 XForce ISS Database: dtc-cid-sql-injection(65895) https://exchange.xforce.ibmcloud.com/vulnerabilities/65895 Common Vulnerability Exposure (CVE) ID: CVE-2011-0435 XForce ISS Database: dtc-bwpermonth-info-disc(65896) https://exchange.xforce.ibmcloud.com/vulnerabilities/65896 Common Vulnerability Exposure (CVE) ID: CVE-2011-0436 http://openwall.com/lists/oss-security/2011/02/22/1 XForce ISS Database: dtc-passwords-info-disc(65898) https://exchange.xforce.ibmcloud.com/vulnerabilities/65898 Common Vulnerability Exposure (CVE) ID: CVE-2011-0437 XForce ISS Database: dtc-ssh-sec-bypass(65897) https://exchange.xforce.ibmcloud.com/vulnerabilities/65897
Copyright	Copyright (C) 2011 E-Soft Inc.