. Updated Daily. Editions SDA India   SDA Indonesia
JAX Asia 2008 - Conference for Enterprise Java, SOA, Spring, Web Services, Ajax, Agile and more
BUSINESS ENTERPRISE SOLUTIONS ARCHITECTURE INFORMATION SECURITY WIRELESS & MOBILITY DATA & STORAGE DEVELOPMENT HARDWARE













News

Wednesday, 2 May 2007

Two Vulnerabilities Found in TCExam PHP Code Execution and Cross-Site Scripting
 

 

Secunia brings to your notice two vulnerabilities in TCExam, which can be exploited by malicious people to conduct cross-site scripting attacks or to compromise a vulnerable system. These vulnerabilities are as follows:

  • Input passed in the ‘SessionUserLang’ cookie to public/code/index.php is not properly sanitised before it is written to the filename after the last slash. This can be exploited to execute arbitrary PHP code.
  • Input passed to the "_SERVER[SCRIPT_NAME]" parameter in public/code/index.php is not properly sanitised before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


The vulnerabilities are confirmed in version 4.0.011. Prior versions may also be affected.
 

Read the Post

 
 
print save email comment

print

save

email

comment
 
 

Search SDA Asia

Free eNewsletter
SDA Asia Magazine Free Download
 
 
 
Copyright @ 2008 SDA Asia Magazine - All Right Reserved Privacy Policy | Terms of Use