 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.806062 |
| Category: | Web application abuses |
| Title: | Web Reference Database Multiple Vulnerabilities |
| Summary: | Reference Database is prone to multiple vulnerabilities. |
| Description: | Summary: Reference Database is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - The application does not employ cross-site request forgery protection (CSRF) mechanisms, such as CSRF tokens. - Insufficient sanitization of user supplied input via referrer GET parameter by multiple pages. - Insufficient sanitization of user supplied via id GET parameter in unapi.php and stylesheet GET parameter in sru.php file. - Multiple input sanitization errors in install.php file via defaultCharacterSet, adminPassword, pathToMYSQL and databaseStructureFile POST parameters. - Insufficient sanitization of user supplied input via errorNo and errorMsg GET parameters in error.php file. - Insufficient sanitization of user supplied input via viewType GET parameter in duplicate_manager.php. - Insufficient sanitization of user supplied input via where GET parameter in rss.php file. - Insufficient sanitization of user supplied input via sqlQuery GET parameter in search.php file. - Insufficient sanitization of user supplied input via sourceText and sourceIDs POST variables in import.php file. - Insufficient sanitization of user supplied input via adminUserName POST parameter in update.php. - Insufficient sanitization of user supplied input via typeName and fileName POST parameters in modify.php file. Vulnerability Impact: Successful exploitation will allow remote attackers to submit valid requests to the server on behalf of authenticated users, execute arbitrary code on the server, directly read, write, and modify arbitrary data in the application's database, redirect victims to malicious web addresses. Affected Software/OS: refbase versions 0.9.6 and possibly earlier Solution: As a workaround restrict access to the application to trusted users and networks and manually remove install.php and update.php scripts from production deployments of the application when they are not needed. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2015-6007 CERT/CC vulnerability note: VU#374092 http://www.kb.cert.org/vuls/id/374092 Common Vulnerability Exposure (CVE) ID: CVE-2015-6008 https://www.exploit-db.com/exploits/38292/ Common Vulnerability Exposure (CVE) ID: CVE-2015-6009 Common Vulnerability Exposure (CVE) ID: CVE-2015-6010 Common Vulnerability Exposure (CVE) ID: CVE-2015-6011 Common Vulnerability Exposure (CVE) ID: CVE-2015-6012 Common Vulnerability Exposure (CVE) ID: CVE-2015-7381 Common Vulnerability Exposure (CVE) ID: CVE-2015-7382 Common Vulnerability Exposure (CVE) ID: CVE-2015-7383 |
| Copyright | Copyright (C) 2015 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |