Professional Documents
Culture Documents
Cms دليل الثغرات الأمنية في نظم إدارة المحتوى
Cms دليل الثغرات الأمنية في نظم إدارة المحتوى
//
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
.1
DotNetNuk
.............................................
.2
Platinum
.............................................
Drupal
.............................................
Xoops
.............................................
.5
Impress
.............................................
11
.6
Joomla
.............................................
12
.7
Kentico
.............................................
14
.8
Wordpress
.............................................
15
Umbraco
.............................................
17
OpenPHPNuke
.............................................
18
Bitflux
.............................................
19
Plesk
.............................................
20
.13
.............................................
21
.14
.............................................
22
.3
.4
.9
.10
.11
.12
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
.1 : DotNetNuk
DotNetNuk DotNetNuke 6.1.0 :
][
DNN-18555
HTML
][1
DNN-18534
disable autoremember
during registration
DNN-18375
incorrect logic in
module administration
check
][2
][3
.
DNN-15379
Module Permissions
Editable by anyone with
the URL
modules
module
][4
.module
DNN-16484
][5
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
.
)(
DNN-16535
User management
mechanisms can be
executed by invalid
users
][6
.
DNN-14587
XSS
VULN044
Unauthenticated user
can install/uninstall
modules
XSS . html tag
][7
modules
][8
modules
DNN-14540
][9
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
.2 : Platinum
Platinum Platinum 4.x :
10.21.56 - CVE
SQL .
SQL injection
vulnerability
CVE-2008-1539
includes/dynamic_titles.php
Platinum 7.6.b.5
SQL
][
][10
modules.php
module .
CVE-2006-2121
CVE-2006-1929
vulnerability in
admin/config_settings.tp
l.php
. include_path
PHP remote file
include/common.php
inclusion vulnerability
in include/common.php PHP
][11
][12
include_path .
platinum-id-sql)injection (58262
modules/Forums/favorites.php
PHP
nuke_bb_root_path
SQL
.
][13
Platinum
Config_settings.TPL.PH
P Remote File Include
Vulnerability
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
.3 : Drupal
Drupal Drupal 7.5 Drupal 7.7 :
SA-CORE-2011-003
Drupal core
Access bypass
Access bypass
][14
.
URL
SA-CORE-2011-002
Drupal core
Access bypass
cross site scripting
vulnerability in error
handler
SA-CORE-2011-001
- Drupal coreMultiple
vulnerabilities
][
Drupal
][14
re-colorable themes
][14
.
SA-CONTRIB2011-058 - Support
Timer
SA-CONTRIB2011-057 - Support
Ticketing System
SA-CONTRIB 2011-056Webform Validation
][14
][14
XSS
][15
Access bypass
SQL Injection
Webform CiviCRM
module
.SQL
CKEditor module
Access bypass
][15
][15
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
.
Views module
SA-CONTRIB2011-052 Views
SQL Injection
SA-CONTRIB2011-049 - Cumulus
SA-CONTRIB2011-040 Author
Pane
access bypass
SA-CORE-2010-001
- Drupal core
SA-CORE-2010-001
- Drupal core
Open redirection
SA-CORE-2009-007
- Drupal core
Cross-site scripting
][15
.SQL
Cumulus module
][15
][15
.XSS
][14
][14
.
Forum module
XSS
HTML script
][14
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
: Modules
http://drupal.org/node/1357278
http://drupal.org/node/1357300
support 6.x-1.7
http://drupal.org/node/1357354
http://drupal.org/node/1357356
Drupal 7.x
Webform Validation 7.x-1.1
module
Support Timer module
Support Ticketing System module
http://drupal.org/node/1336044
Drupal 6.x
Webform CiviCRM Integration 6.x-2.2
Webform CiviCRM Integration module
http://drupal.org/node/1336046
Drupal 7.x
Webform CiviCRM Integration 7.x-2.2
http://drupal.org/node/1336272
CKEditor 7.x-1.5
CKEditor module
http://drupal.org/node/1329842
Views 6.x-2.13
Views module
http://drupal.org/node/1304616
Cumulus 6.x-1.5
Cumulus module
http://drupal.org/node/1271388
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
.4 : Xoops
Xoops Xoops 2.5.4 :
CVE-2006-4417
SQL injection
CVE-2005-0911
CVE-2006-3363
CVE-2006-3341
SQL injection
CVE-2006-2516
SQL
.
PHP
Glossaire module
][
][16
][17
][18
.1.7
annonces-p-f.php
MyAds
][19
.SQL
]'$xoopsOption['nocommon
directory traversal
][20
CVE-2006-2516
CVE-2006-2516
Cross-site scripting
)(XSS
SQL injection
web script
.XSS
viewcat.php
WF-Downloads
SQL.
CVE-2005-3680
File inclusion
CVE-2005-2338
cross-site scripting
)(XSS
CVE-2005-2113
SQL injection
][21
][21
][22
web script
.forum module
SQL
][23
][24
authentication . XML
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
][25
CVE-2002-1802
CVE-2005-2112
CVE-2005-0910
Cross-site scripting
)(XSS
secript web
.XSS
][26
][27
][28
CVE-2004-1640
CVE-2005-1031
CVE-2005-0828
CVE-2005-0743
CVE-2002-0216
SQL injection
][29
][30
][31
][32
PHP .
PHP .
SQL
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
10
.5 : Impress
Impress Impress 1.2.5 :
CVE-2010-4616
][
websecript
][33
Html
CVE-2008-2035
Cross-site scripting
)(XSS
HTB22766
][34
SA31259
CVE-2008-3453
ImpressCMS
""modules/admin.php
Unspecified
Vulnerability
CVE-2008-5964
CVE-2010-4271
modules/admin.php
hijack
web sessions
][36
.PHPSESSID
SQL injection
QSL
.
CVE-2005-4259
CVE-2010-2936
Integer overflow
CVE-2010-2935
][35
][37
][38
][39
) ( application crash
.buffer overflow
][40
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
11
.6 : Joomla
Joomla Joomla 1.7.3 :
][20110601
XSS Vulnerabilitie
][41
][20110602
NS-11-009
Information Disclosure
][42
XSS Vulnerabilitie
''com_search
Component Cross Site
Scripting Vulnerability
][20110603
Unauthorised Access
Password Enumeration
Weakness
][
][43
][44
][45
brute-force
.
][46
.
Bugtraq ID: 47159
Unspecified Information
Disclosure Vulnerability
CVE-2011-2488
][47
][48
Bugtraq ID:46846
CVE-2011-1151
DoS
][50
][51
Clickjacking
SQL .
.
][49
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
12
[52]
Clickjacking
Vulnerability
CVE-2011-2892
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
13
.7 :Kentico
Kentico kentico 6 :
][53
kenticocmsusersviewer-xss
)(67776
SA44785
][
XSS Vulnerabilitie
Kentico CMS
'userContextMenu_para
meter' Parameter Cross
Site Scripting
Vulnerability
][54
][55
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
14
.8 :Wordpress
Wordpress Wordpress cms 3.3.1 :
CVE-2004-1584
CVE-2004-1559
CRLF injection
vulnerability
cross-site scripting
(XSS) vulnerabilities
][
][56
HTML
][58
CVE-2007-1894
CVE-2007-1732
cross-site scripting
(XSS) vulnerabilities
CVE-2007-1049
][59
Javasecript HTML
CVE-2007-1622
.
cross-site scripting
(XSS) vulnerabilities
][62
][63
SQL injection
vulnerability
SQL
CVE-2007-0233
CVE-2007-1409
][65
][66
][67
Commands injection
][68
Cross-site request
)forgery (CSRF
vulnerability
Files injection
][69
CVE-2007-1277
CVE-2007-1244
CVE-2007-0541
][64
CVE-2007-0107
CVE-2007-1599
][60
][61
CVE-2007-0106
CVE-2007-1897
][57
.
.
.XSS
][70
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
15
.
][71
DOS
CVE-2007-0540
.DoS
CVE-2007-0539
CVE-2007-0109
. brute force
][72
][73
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
16
.9 :Umbraco
Umbraco Umbraco 4.7.1 :
Privilege Escalation
Vulnerability
SA34209
][
][74
][75
SA200901234
Unauthorized Access
Vulnerability
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
17
.10 :OpenPHPNuke
OpenPHPNuke OpenPHPnuke 2.4.16 :
CVE-2006-2137
Remote File Include
Vulnerability
][76
PHP .
CVE-2006-1602
SQL Injection
Vulnerability
][
][77
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
18
.11 :Bitflux
Bitflux Bitflux cms 1.6 :
Dos
][
][78
CVE-2006-6361
.HTTP POST
Bugtraq ID: 21417
Buffer Overflow
Vulnerability
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
19
.12 :Plesk
Plesk Parallels Plesk Panel 9.5 :
CVE-2006-3737
Cross-site scripting
)(XSS
Bugtraq ID:
Javasecript HTML
HTML Injection
Vulnerabilities
][81
Login.PHP3 Directory
Traversal Vulnerability
Filemanager.PHP
Directory Traversal
Vulnerability
][80
PHP
HTTP IP .
][79
CVE-2004-2702
CVE-2001-1222
][
Html
javascripte
.
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
20
: .13
http://www.secunia.com
http://www.f-secure.com/
http://www.securityfocus.com
http://cve.mitre.org
http://www.impresscms.org
http://www.dotnetnuke.com
http://drupal.org/security
http://osvdb.org
http://www.exploitsearch.net
http://cxsecurity.com/wlb
http://www.iss.net/index.html
http://www.security-database.com
http://nvd.nist.gov
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
21
: .14
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
[44]
[45]
[46]
[47]
[48]
[49]
[50]
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.59.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.58.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.57.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.56.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.54.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.53.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.49.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.46.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.45.aspx
http://www.security-database.com/detail.php?alert=CVE-2008-1539
http://www.security-database.com/detail.php?alert=CVE-2006-2121
http://www.security-database.com/detail.php?alert=CVE-2006-1929
http://www.security-database.com/detail.php?alert=CVE-2007-5676
http://drupal.org/security
http://drupal.org/security/contrib?page=3
http://www.security-database.com/detail.php?alert=CVE-2006-4417
http://www.security-database.com/detail.php?alert=CVE-2005-0911
http://www.security-database.com/detail.php?alert=CVE-2006-3363
http://www.security-database.com/detail.php?alert=CVE-2006-3341
http://www.security-database.com/detail.php?alert=CVE-2006-2516
http://www.security-database.com/detail.php?alert=CVE-2006-2516
http://www.security-database.com/detail.php?alert=CVE-2005-3680
http://www.security-database.com/detail.php?alert=CVE-2005-2338
http://www.security-database.com/detail.php?alert=CVE-2005-2113
http://www.security-database.com/detail.php?alert=CVE-2002-1802
http://www.security-database.com/detail.php?alert=CVE-2005-2112
http://www.security-database.com/detail.php?alert=CVE-2005-0910
http://www.security-database.com/detail.php?alert=CVE-2004-1640
http://www.security-database.com/detail.php?alert=CVE-2005-1031
http://www.security-database.com/detail.php?alert=CVE-2005-0828
http://www.security-database.com/detail.php?alert=CVE-2005-0743
http://www.security-database.com/detail.php?alert=CVE-2002-0216
http://www.security-database.com/detail.php?alert=CVE-2010-4616
http://www.security-database.com/detail.php?alert=CVE-2008-2035
http://www.security-database.com/detail.php?alert=CVE-2008-3453
http://www.security-database.com/detail.php?alert=CVE-2008-5964
http://www.security-database.com/detail.php?alert=CVE-2010-4271
http://www.security-database.com/detail.php?alert=CVE-2005-4259
http://www.security-database.com/detail.php?alert=CVE-2010-2936
http://www.security-database.com/detail.php?alert=CVE-2010-2935
http://developer.joomla.org/security/news/367-20110901-core-xss-vulnerability
http://developer.joomla.org/security/news/369-20110903-core-information-disclosure
http://www.mavitunasecurity.com/xss-vulnerability-in-joomla-163/
http://developer.joomla.org/security/news/367-20110901-core-xss-vulnerability
http://developer.joomla.org/security/news/350-20110603-unauthorised-access
http://developer.joomla.org/security/news/374-20111102-core-password-change1.7.3
http://developer.joomla.org/security/news/9-security/10-core-security/340-20110401-core-informationdisclosure.html
http://www.security-database.com/detail.php?alert=CVE-2011-2488
http://secunia.com/advisories/45230
http://www.security-database.com/detail.php?alert=CVE-2011-3389
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
22
[51]
[52]
[53]
[54]
[55]
[56]
[57]
[58]
[59]
[60]
[61]
[62]
[63]
[64]
[65]
[66]
[67]
[68]
[69]
[70]
[71]
[72]
[73]
[74]
[75]
[76]
[77]
[78]
[79]
[80]
[81]
http://developer.joomla.org/security/news/347-20110409-core-clickjacking.html
http://www.security-database.com/detail.php?alert=CVE-2011-2892
http://www.naked-security.com/nsa/200208.htm
http://xforce.iss.net/xforce/xfdb/67776
http://secunia.com/advisories/44785
http://www.security-database.com/detail.php?alert=CVE-2004-1584
http://www.security-database.com/detail.php?alert=CVE-2004-1559
http://www.security-database.com/detail.php?alert=CVE-2007-1894
http://www.security-database.com/detail.php?alert=CVE-2007-1732
http://www.security-database.com/detail.php?alert=CVE-2007-1622
http://www.security-database.com/detail.php?alert=CVE-2007-1049
http://www.security-database.com/detail.php?alert=CVE-2007-0106
http://www.security-database.com/detail.php?alert=CVE-2007-1897
http://www.security-database.com/detail.php?alert=CVE-2007-0233
http://www.security-database.com/detail.php?alert=CVE-2007-0107
http://www.security-database.com/detail.php?alert=CVE-2007-1599
http://www.security-database.com/detail.php?alert=CVE-2007-1409
http://www.security-database.com/detail.php?alert=CVE-2007-1277
http://www.security-database.com/detail.php?alert=CVE-2007-1244
http://www.security-database.com/detail.php?alert=CVE-2007-0541
http://www.security-database.com/detail.php?alert=CVE-2007-0540
http://www.security-database.com/detail.php?alert=CVE-2007-0539
http://www.security-database.com/detail.php?alert=CVE-2007-0109
http://secunia.com/advisories/34209/
http://www.f-secure.com/vulnerabilities/SA200901234
http://www.security-database.com/detail.php?alert=CVE-2006-2137
http://www.security-database.com/detail.php?alert=CVE-2006-1602
http://www.security-database.com/detail.php?alert=CVE-2006-6361
http://www.security-database.com/detail.php?alert=CVE-2006-3737
http://www.security-database.com/detail.php?alert=CVE-2004-2702
http://www.security-database.com/detail.php?alert=CVE-2001-1222
Tel: +963 11 3937032 Fax: +963 11 3937079 E-mail: isc@nans.gov.sy Website: www.nans.gov.sy
23