lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 16 18:33:37 2006 From: joxeanpity at gmail.com (Joxean Koret) Subject: Solved -Several flaws in e-business designer (eBD) The advisory talk about 3 vulnerabilities 1) File upload issues (related with your patch). 2) Sql injection and path disclosure. 3) Clear text autentication. I can assume that sysadmin could force https by himself, but... really the 2nd vuln is not related with eBD? On 6/16/06, Blanca Pons de Dalmases <bpons@...yssoft.com> wrote: > > A Bug in the eBD HTML editor has been discovered. It will allow an user > to modify the images of the /imgfiles folder (the files raised in the > option resources > images). > > Oasyssoft, the producer, has installed the patch in all our servers, so > all MyeBD users are updated since the end of may. > > Anyway, you will find here the emergency Patch instalation > http://lists.oasyssoft.com/ebd-devel/200605/binNr7awTFdvt.bin <http://> > for being installed at your servers. Althought this patch is for version > 3.1.4, it is also available in all eBD versions. > > The other mentioned vulnerabilities have no relation to eBD. System > Managers are in charge of configuring their servers in a secure way, > whether or not they are executing eBD . > > If you require further information, please contact us at > ebd.soporte@...yssoft.com <http://>. > > Blanca Pons > bpons@...yssoft.com > Dir. Marketing y Comunicaci?n > e-business designer > C/ Sardenya 56 Local > 08005 Barcelona > Tel: 902 181 349 > Fax: 932 217 303 > www.oasyssoft.com > 2655 Le Jeune Rd. Suite 517 > Coral Gables, FL 33134 United States > Phone: +1(305) 448 2148 > Fax: +1(305) 448 0097 > www.ebdsoft.com > > eBD es un producto Oasyssoft > Este mensaje (as? como los archivos adjuntos o los links que contiene) > puede contener informaci?n privilegiada o confidencial. Si no es usted el > destinatario indicado, queda notificado de que la utilizaci?n, divulgaci?n > y/o copia sin autorizaci?n est? prohibida en virtud de la legislaci?n > vigente. Si ha recibido este mensaje por error, le rogamos que nos lo > comunique inmediatamente por esta misma v?a y proceda a su destrucci?n. > > This email (and any attachments or hyperlinks within it) may contain > information that is confidential, legally privileged or otherwise protected > from disclosure. If you are not the intended recipient of this email, you > are not entitled to use, disclose, distribute, copy, print, disseminate or > rely on this email in any way. If you have received this email in error, > please notify the sender immediately by telephone or email and destroy it, > and all copies of it. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060616/5ec3d675/attachment.html
Powered by blists - more mailing lists