Advisories
The complete archive of software security vulnerabilities found by me.
- Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities - Adv - 21/08/2010
Component that allows the automatic management of a library in electronic format. It' can manage books and their loans through an attractive graphical user interface simple and usable.
- Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability - Adv - 14/08/2010
DATA GRID Component built on the popular EXTJS Framework.
- Teams 1_1028_100809_1711 Joomla Component Multiple Blind SQL Injection Vulnerabilities - Adv - 10/08/2010
Teams is a base application for entering leagues, teams, players, uniforms, and games.
- Amblog 1.0 Joomla Component Multiple SQL Injection Vulnerabilities - Adv - 10/08/2010
Amblog is a simple blog engine for Joomla CMS.
- cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities - Adv - PoC - 06/08/2010
cg_Testimonial component is a tool for adding testimonial by the user from frontend and managing and publishing testimonials from backend.
- Spielothek 1.6.9 Joomla Component Multiple Blind SQL Injection - Adv - 31/07/2010
This component allows you to present your users a highscore-enabled game-area.It is based on the all known joomlaflashgames, but with more features and with better scoring method. You can create own categories for games and let your site-visitors have fun, so they will return.
- PBBooking 1.0.4_3 Joomla Component Multiple Blind SQL Injection - Adv - 29/07/2010
A simple, easy to use, calendaring and booking component for Joomla. PBBooking offers live calendar integration both for reading availability and for writing appointments back to your calendar.
- PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection - Adv - 28/07/2010
PhotoMap Gallery is a gallery component completely integrated into Joomla 1.5.x. Like 'Picasa', 'Flickr', or 'Panoramio', you can easily add geo-tags to your photos so that you can remember exactly where they're from using Google Maps.
- Appointinator 1.0.1 Joomla Component Multiple Remote Vulnerabilities - Adv - 28/07/2010
Appointinator is a small and convenient component, that allows you to start appointment polls for your registered users.
- TTVideo 1.0 Joomla Component SQL Injection Vulnerability - Adv - 27/07/2010
TTVideo is a Joomla! component that makes use of the popular video sharing site Vimeo to create a video library.
- WhiteBoard 0.1.30 Multiple Blind SQL Injection Vulnerabilities - Adv - 25/07/2010
WhiteBoard is a fast, powerful, and free open source discussion board solution. The project started in March of 2007, and its recent release is the culmination of three years of hard work. Developed by a Zend Certified PHP Engineer, this discussion board uses advanced algorithms and features which previously were only available in paid discussion board solutions.
- RedShop 1.0.23.1 Joomla Component Blind SQL Injection Vulnerability - Adv - 14/07/2010
RedShop is a popular and commercial Joomla component. It is a Content Creation Kit style of webshop / webshop tool where you got the most access ever given to any user to completely style around and change thier webshop, without alot more knowledge then HTML and a bit of CSS.
- ArtForms 2.1b7.2 RC2 Joomla Component Multiple Remote Vulnerabilities - Adv - 07/07/2010
The ArtForms component is a package for an easy From Generator for Joomla 1.0.xx. It allows you to generate as much Forms as you like, you can define all fields that you need and also make file upload and attachment possible.
- Sandbox 2.0.3 Multiple Remote Vulnerabilities - Adv - 07/07/2010
Sandbox is a personal website package that provides you with a blog, image gallery, file downloads area, and the ability to create miscellaneous custom webpages.
- Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities - Adv - 04/07/2010
Canteen is a Joomla 1.5 component. This component is written for canteens. You can easily manage daily menu with this component.
- iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability - Adv - 03/07/2010
iScripts MultiCart 2.2 is a unique online shopping cart solution that enables you to have one storefront and multiple vendors for physical or digital (downloadable) products.
- iScripts SocialWare 2.2.x Multiple Remote Vulnerability - Adv - 03/07/2010
iScripts SocialWare is an award-winning, easy to use social networking software that enables you to create your own social network like MySpace, Orkut, Friendster, Linkedin, Facebook, Hi5, etc.
- iScripts SocialWare 2.2.x Arbitrary File Upload Vulnerability - Adv - PoC - 02/07/2010
iScripts SocialWare is an award-winning, easy to use social networking software that enables you to create your own social network like MySpace, Orkut, Friendster, Linkedin, Facebook, Hi5, etc.
- iScripts CyberMatch 1.0 Blind SQL Injection Vulnerability - Adv - 02/07/2010
iScripts CyberMatch is a turnkey online dating software for you to start a full-fledged dating site like match.com or eHarmony in minutes. iScripts CyberMatch can be used to create your own Dating, Personals or match making Site, Adult or Matrimonial Site.
- iScripts ReserveLogic 1.0 SQL Injection Vulnerability - Adv - 01/07/2010
iScripts ReserveLogic allows independent hotel/motels, B&B, time-shares, campgrounds, tour companies, etc., to take their business truly online with online reservation and customer management.
- iScripts EasySnaps 2.0 Multiple SQL Injection Vulnerabilities - Adv - 01/07/2010
EasySnaps is a commercial powerful image hosting site that will help you in hosting your images besides providing a large number of utilities.
- My Databook <= 2.5.0 Multiple Remote Vulnerabilities - Adv - 30/06/2010
My DataBook is a personal organizer/planner. Features include eMail reminders, calendar, journal, appointments, and contacts.
- TaskFreak Time Tracking 0.4 Multiple SQL Injection Vulnerabilities - Adv - 29/06/2010
Web task manager and todo list.
- ThePhig 3.0.7 Multiple Remote Vulnerabilities - Adv - 23/06/2010
ThePhig is an OpenSource php script created around the basis that creating an album of images should be as easy as uploading a directory of images.
- Family Connections 2.2.3 Multiple Remote Vulnerabilities - Adv - 10/05/2010
Based on one of the world's leading structure and content management systems - WebSiteAdmin, WSCreator (WS standing for WebSite) is powerful application for handling multiple websites.
- LaNewsFactory Multiple Remote Vulnerabilities - Adv - 19/04/2010
LaNewsFactory is a very used news manager that not require a database. This news managment is affected by many vulnerabilities that allows a guest to write arbitrary files on the system, include local files, read local files etc..
- Ca3DE/Cafu 9.06 Multiple Remote Vulnerabilities - PoC - 22/03/2010
The Cafu Engine is an all-purpose, modern 3D graphics engine and game development kit, feature complete to get you started quickly.
- Jinais IRC Server 0.1.8 NULL Pointer Vulnerability - Adv - PoC - 21/03/2010
An IRC server written in C from scratch. Well, it's not _yet_ a fully featured IRC server. The goal is to make it multi-platformed, highly configurable at compile and run times, to allow it to run on slow machines, using the least amount of resources.
- MX Simulator Server 2010-02-06 Remote Buffer Overflow - PoC - 19/03/2010
MX Simulator features the ultimate in motocross gaming physics. Unlike most other MX games, you actually lean into turns and throttle, clutch and shift like on a real bike. This PoC has been tested on Windows XP SP2.
- uhttp Server 0.1.0-alpha Path Traversal Vulnerability - Adv - 10/03/2010
An ultra lightweight webserver with a very small memory usage.
- VetPlus 2.0.3 Multiple Remote Vulnerabilities - Adv - 17/12/2009
VetPlus is a vet clinics system. It currently manages Clients, Patients and users & schedules appointments.
- Family Connections 2.1.3 Multiple Remote Vulnerabilities - Adv - PoC - 16/12/2009
Based on one of the world's leading structure and content management systems - WebSiteAdmin, WSCreator (WS standing for WebSite) is powerful application for handling multiple websites.
- WSCreator 1.1 Blind SQL Injection - Adv - 15/12/2009
Based on one of the world's leading structure and content management systems - WebSiteAdmin, WSCreator (WS standing for WebSite) is powerful application for handling multiple websites. This is a commercial application.
- Miniweb 2.0 Full Path Disclosure - Adv - 12/12/2009
Miniweb 2.0 is designed for those who want to transform a brochure site into a dynamic Web 2.0 site that attracts tons of traffic and sales.
- B2C Booking Centre Systems SQL Injection Vulnerability - Adv - 11/12/2009
Booking Centre Systems is a multilingual low cost and high performance software solution for any Individual Hotel or Hotels Group or Portal Tourist.
- phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities - Adv - PoC - 11/12/2009
PhpCollegeExchange is a full fledged college community website.
- Digital Scribe 1.4.1 Multiple SQL Injection Vulnerabilities - Adv - 11/12/2009
The Digital Scribe is a free, intuitive system designed to help teachers put student work and homework assignments online.
- T-HTB Manager 0.5 Multiple Blind SQL Injection - Adv - 10/09/2009
T-HTB WEB manager using Nested set model MySQL, PHP, Ajax, tc and iptables classify.
- Nullam Blog 0.1.2 Multiple Remote Vulnerabilities - Adv - 10/09/2009
No description.
- Blink Blog System Authentication Bypass - Adv - 03/08/2009
No description.
- LightOpenCMS 0.1 pre-alpha SQL Injection - Adv - 05/06/2009
LightOpenCMS is a new CMS that in difference from other CMS softwares have the CMS and the CMS admin in different packages.
- Pragyan CMS 2.6.4 Multiple SQL Injection - Adv - 22/04/2009
No description.
- Creasito e-commerce content manager 1.3.16 Authentication Bypass - Adv - 20/04/2009
No description.
- Multi-lingual E-Commerce System 0.2 Multiple Remote Vulnerabilities - Adv - 19/04/2009
No description.
- Tiny Blogr 1.0.0 rc4 Authentication Bypass - Adv - 17/04/2009
Tiny Blogr is a tiny personal journal blog system with beautiful URL support.
- Malleo 1.2.3 Local File Inclusion - Adv - 17/04/2009
No description.
- PHP-agenda 2.2.5 Remote File Overwriting - Adv - 10/04/2009
The php-agenda is a small, versatile tool to replace your paper agenda.
- Loggix Project 9.4.5 Blind SQL Injection - Adv - 10/04/2009
Loggix is a really simple, lightweight PHP and SQlite driven weblog/cms engine. In the advisory there isn't a Blind SQL Injection example.
- Dynamic Flash Forum 1.0 Beta Multiple Remote Vulnerabilities - Adv - 09/04/2009
DF2 will be the next thing in web forums. Combining the looks and easy of use of Flash(tm) with the reliability of PHP and mySQL to create the ultimate forum program for web designers, Dynamic Flash Forum.
- AdaptBB 1.0 Beta Multiple Remote Vulnerabilities - Adv - 09/04/2009
AdaptBB is a new open source forum system. This version presents multiple security flaws that allow a guest to execute remote commands and to inject SQL statements. A registered user can also upload arbitrary files.
- Bookjoomlas !Joomla Component 0.1 SQL Injection - Adv - 06/04/2009
No description.
- Family Connections 1.8.2 Arbitrary File Upload - Adv - PoC - 03/04/2009
A private, easy-to-use website where you can connect with your friends and family. Share photos, messages, documents and more.
- Family Connections 1.8.2 Blind SQL Injection - Adv - PoC - 01/04/2009
A private, easy-to-use website where you can connect with your friends and family. Share photos, messages, documents and more. In the advisory and in the PoC there aren't example of true use of the Blind SQL Injection.
- webEdition 6.0.0.4 Local File Inclusion - Adv - 31/03/2009
No description.
- Community CMS 0.5 Multiple SQL Injection - Adv - 30/03/2009
Community CMS is a PHP/MySQL based CMS targeted for use by communities or groups within a specific area.
- Family Connections 1.8.2 Multiple Remote Vulnerabilities - Adv - 25/03/2009
A private, easy-to-use website where you can connect with your friends and family. Share photos, messages, documents and more.
- phpCommunity 2 2.1.8 Multiple Remote Vulnerabilities - Adv - 07/03/2009
No description.
- Wili-CMS 0.4.0 Multiple Remote Vulnerabilities - Adv - 06/03/2009
Wili-CMS is a "wiki-like" Content Management System.
- nForum 1.5 Multiple SQL Injection - Adv - 06/03/2009
nForum is a forum written in php, uses MySQL. Designed to be fast and secure.
- CelerBB 0.0.2 Multiple Remote Vulnerabilities - Adv - 05/03/2009
CelerBB is a piece of forum software that is designed to provide a free alternative to much of the other large, expensive forum software that is available on the internet today.
- BlindBlog 1.3.1 Multiple Remote Vulnerabilities - Adv - 03/03/2009
BlindBlog is a custom blog, with an archive and commenting system. It presents some security flaws that allow a guest to inject SQL statements, to bypass the login system and to include local files from the affected server.
- RitsBlog 0.4.2 Multiple Remote Vulnerabilities - Adv - 02/03/2009
RitsBlog is a javascript php mysql blog manager focussed on being as intuitive and wysiwyg as possible.
- EZ-Blog 1 Beta Multiple SQL Injection - Adv - 01/03/2009
EZ-Blog is an open-source blog program written in PHP. Presently, only MySQL is supported, but a PostgreSQL version is planned.
- BlogMan 0.45 Multiple Remote Vulnerabilities - Adv - 01/03/2009
BlogMan is a blogging application designed to be run by a person who will host their own blog somewhere.
- gigCalendar !Joomla Component 1.0 SQL Injection (2) - Adv - 21/02/2009
gigCalendar is the world's first free solution for maintaining a website's touring calendar.
- gigCalendar !Joomla Component 1.0 SQL Injection - Adv - 21/02/2009
gigCalendar is the world's first free solution for maintaining a website's touring calendar.
- Max.Blog 1.0.6 SQL Injection (2) - Adv - 27/01/2009
No description.
- Max.Blog 1.0.6 Offline Authentication Bypass - Adv - 27/01/2009
No description.
- Max.Blog 1.0.6 SQL Injection - Adv - 20/01/2009
No description.
- Discloser 0.0.4-rc2 SQL Injection - Adv - 21/02/2004
No description.
