WordPress plugin WP-JS 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

Qibo Menhu V5 /wei/js.php SQL注入漏洞

/wei/js.php elseif$type=='like' $SQL.=" AND id!='$id' "; if!$keyword extract$db-getone"SELECT keywords AS keyword FROM $precontent WHERE id='$id'"; if$keyword $SQL.=" AND "; $keyword=urldecode$keyword; $detail=explode" ",$keyword; unset$detail2; foreach $detail AS $key=$value $detail2=" BINARY...

qibocms b2b /news/js.php SQL注入漏洞

No description provided by source...

Active Calendar 1.2 data/js.php css Parameter XSS

No description provided by source. source: http://www.securityfocus.com/bid/22705/info Active Calendar is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the...

Destoon最新版本20131010补丁后，全版本继续注入

简要描述： Destoon最新版本20131010补丁后，全版本继续注入 详细说明： 问题出在api/js.php这个漏洞，这个星期工作忙，结果别人提交了，官方补丁都出来了。 下载补丁，发现官方的修复比较马虎，没有理解漏洞的本质，分分钟绕过再次注入。 建议官方好好思考一下这个漏洞产生的根本原因。 漏洞证明： stripsql过滤了union这个字符串，但是实际上是可以绕过的。 由于需要伪造referer，所以用php写的脚本进行漏洞利用，需要根据实际情况修改里面的路径。 POC里面host参数为域名，本机测试为localhost，ver参数为版本，里面写了3,4,5三个版本的利用代码。...

phpcms 2008 /ads/include/ads_place.class.php sql注入漏洞

漏洞产生位置： /ads/include/adsplace.class.php function show$placeid …………............. else $ads = $this-db-getone"SELECT FROM ".DBPRE."ads a, $this-table p WHERE a.placeid=p.placeid AND p.placeid=$placeid AND a.fromdate=UNIXTIMESTAMP AND a.passed=1 AND a.status=1 ORDER BY rand LIMIT 1"; $contents =...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in ActiveCalendar 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the css parameter to 1 flatevents.php, 2 js.php, 3 mysqlevents.php, 4 m2.php, 5 m3.php, 6 m4.php, 7 xmlevents.php, 8 y2.php, or 9 y3.php in data/...

CVE-2007-1111

Multiple cross-site scripting XSS vulnerabilities in ActiveCalendar 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the css parameter to 1 flatevents.php, 2 js.php, 3 mysqlevents.php, 4 m2.php, 5 m3.php, 6 m4.php, 7 xmlevents.php, 8 y2.php, or 9 y3.php in data/...