17 April 2007, 12:49

Web statistics software CNStats executes external code

Multiple bugs in CNStats, a web page access analysis application, allow attackers to execute their own PHP code on a server. This may permit access to the entire system. The who_r.php and who_s.php modules fail to filter the bj and bn parameters properly, allowing paths that include local or external PHP scripts can be entered. This does, however, require register_globals to be turned on, which is contrary to security recommendations. The bug was found in version 2.9. The current version 2.12 is apparently also affected. The only remedy at present is to turn off register_globals.

Also on The H:

Foxit Reader adds new security features - Update
SQL injection hole in PHP Nuke
SQL injection vulnerabilities in PHP-Nuke
New PostNuke version closes security holes
PHProjekt allows infiltration of foreign scripts
Usenet application MyNewsGroups endangers server security

Channels

Services

Web statistics software CNStats executes external code

Also on The H:

Content Security Policy halts XSS in its tracks

Skype's ominous link checking: Facts and speculation

Password protection for everyone

Two clicks for more privacy

What's new in SUSE Linux Enterprise 11 SP3

What's new in Fedora 19

What's new in Linux 3.10

Free Software post-PRISM

Kernel Log: Coming in 3.10 (Part 4) - Drivers

The trouble with "Business Source"

Kernel Log: Coming in 3.10 (Part 3) - Infrastructure

Whatever happened to Google?

Java EE 7 at a glance

Continuous database migration with Liquibase and Flyway

Unit testing with Node.js

Ruby 2.0 - the 20th birthday present

Linux Mint 15: A better Ubuntu for the desktop

What's new in Linux 3.9

Replacing Google Reader

Attacking TrueCrypt

The H

The H Open

The H Security

The H Developer

The H Internet Toolkit