49 matches found
Open redirect
Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action...
Information disclosure
The phpinfo function in SiteEngine 5.x allows remote attackers to obtain system information by setting the action parameter to phpinfo in misc.php...
CVE-2010-4357
SQL injection vulnerability in comments.php in SiteEngine 7.1 allows remote attackers to execute arbitrary SQL commands via the module parameter...
CVE-2008-7267
SQL injection vulnerability in announcements.php in SiteEngine 5.x allows remote attackers to execute arbitrary SQL commands via the id parameter...
CVE-2008-7268
The phpinfo function in SiteEngine 5.x allows remote attackers to obtain system information by setting the action parameter to phpinfo in misc.php...
CVE-2008-7269
CVE-2008-7269 is an open-redirect flaw affecting SiteEngine 5.x (notably in api.php) where a user-controlled forward parameter in a logout action can redirect victims to arbitrary sites. The vulnerability enables user-assisted remote attack chains for phishing or similar redirects. The Nuclei tem...
CVE-2010-4357
CVE-2010-4357: SiteEngine 7.1 contains a SQL injection in comments.php via the module parameter, enabling remote arbitrary SQL execution. Technical detail: vulnerable component is the comments.php handler in SiteEngine 7.1; exploit vector is passing crafted module parameters to trigger SQL comman...
CVE-2008-7268
SiteEngine 5.x is affected by CVE-2008-7268 via a phpinfo information-disclosure in misc.php when action=php_info is supplied, allowing remote attackers to obtain system information. The connected documents reiterate the description; no remediation patch/version is provided in the supplied source...
CVE-2008-7267
CVE-2008-7267 describes a SQL injection in SiteEngine 5.x, specifically in announcements.php, where the vulnerable parameter is id. The root cause is improper handling of user input leading to arbitrary SQL execution by remote attackers. Impact is partial confidentiality/integrity/availability lo...
CVE-2008-7269
Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action...
SiteEngine 6.0 XSS vulnerability
网站引擎SiteEngine,全称:博卡网站引擎管理系统,软件基于PHP程序和Mysql数据库开发,采用B/S体系结构。 POC: http://server/comments.php?module=news&id=XSS http://server/news.php?pagestart=1&classid=XSS http://server/search.php?searchword=XSS SiteEngine 6.0 厂商补丁: SiteEngine ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:...
SiteEngine <= 7.1 SQL Injection Vulnerability
Exploit for php platform in category web applications ============================================= SiteEngine = 7.1 SQL Injection Vulnerability ============================================= Title: SiteEngine 7.1 SQL injection Vulnerability Date: 2010-11-25 Author: Beach Team: www.linux520.com...
SiteEngine 6.0 &7.1 SQL injection vulnerability-vulnerability warning-the black bar safety net
Title: SiteEngine 6.0 SQL injectionvulnerability Date: 2010-11-25 Author: Beach Team: www.linux520.com Vendors: www.siteengine.netwww.boka.cn Keywords: "Powered by SiteEngine" //300,000 + Description: The use of this vulnerability requires that the comment function is turned ONON by default The u...
SiteEngine 7.1 - SQL Injection
Title: SiteEngine 7.1 SQL injection Vulnerability Date: 2010-11-25 Author: Beach Team: www.linux520.com Vendor: www.siteengine.net www.boka.cn Dork: "Powered by SiteEngine" //300,000 + Language:PHP Greetz: birdarmy Description: Exploit this vulnerability comment must be enabled default == enable...
SiteEngine 6.0 SQL注入漏洞
网站引擎SiteEngine,全称:博卡网站引擎管理系统,软件基于PHP程序和Mysql数据库开发,采用B/S体系结构。 利用这个漏洞需要评论功能开启默认开启 SiteEngine 6.0 厂商补丁: SiteEngine ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.siteengine.net/...
SiteEngine 7.1 - SQL Injection
SiteEngine 7.1 - SQL Injection Title: SiteEngine 7.1 SQL injection Vulnerability Date: 2010-11-25 Author: Beach Team: www.linux520.com Vendor: www.siteengine.net www.boka.cn Dork: "Powered by SiteEngine" //300,000 + Language:PHP Greetz: birdarmy Description: Exploit this vulnerability comment mus...
SiteEngine 7.1 SQL注入漏洞
网站引擎SiteEngine,全称:博卡网站引擎管理系统,软件基于PHP程序和Mysql数据库开发,采用B/S体系结构。 利用这个漏洞需要评论功能开启,默认开启 SiteEngine 7.1 厂商补丁: SiteEngine ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.siteengine.net/ 企业门户版本:...
SiteEngine 博卡网站引擎管理系统5.1.0 存在文件上传漏洞
网站引擎SiteEngine,全称:博卡网站引擎管理系统,软件基于PHP程序和Mysql数据库开发,采用B/S体系结构。 首先先看第一段代码.是对文件后缀进行检查的。 1. 2. $attach'name' = $filename = strreplace " ", "", $attach'name' ; //去掉文件名的空格 3. $attach'ext' = $extension = strtolower fileext $attach'name' ; //取得文件的后缀名并变成小写 4. 5. //转义文件后缀名的正则表达式字符,并匹配合法的文件后缀名 6. if...
SiteEngine CMS 5.1.0 file upload vulnerability-vulnerability warning-the black bar safety net
Website engineSiteEngine,name: Boca website, the engine management system, The Beijing Boca vanguard Software Development Co., Ltd. in 2 0 0 2-year independent research and development, with intellectual property rights of a marketing type website construction management class software. At the sa...
SiteEngine CMS 5.1.0 文件上传漏洞
网站引擎SiteEngine,全称:博卡网站引擎管理系统,是北京博卡先锋软件开发有限公司于2002年自主研发的,具有知识产权的一款营销型网站建设管理类软件。同时,网站引擎于2004年通过中国软件评测中心CSTC软件产品测试,是获得国家信息产业部认可的软件产品。 软件基于PHP程序和Mysql数据库开发,完全采用B/S体系结构,无客户端,可跨Unix/Lin- ux/FreeBSD/Solaris/Windows2000/XP/2003/Vista等操作系统平台应用...