CVE-2007-5222 – MD-Pro 1.0.76 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-5222
SQL injection vulnerability in index.php in MAXdev MDPro (MD-Pro) 1.0.76 allows remote attackers to execute arbitrary SQL commands via a "Firefox ID=" substring in a Referer HTTP header. Vulnerabilidad de inyección SQL en index.php en MAXdev MDPro (MD-Pro) 1.0.76 permite a atacantes remotos ejecutar comandos SQL de su eleccióna través de una subcadena "Firefox ID=" en una cabecera Referer HTTP. • https://www.exploit-db.com/exploits/4467 https://www.exploit-db.com/exploits/30623 http://osvdb.org/38556 http://www.maxdev.com/Article641.phtml http://www.securityfocus.com/bid/25864 http://www.securityfocus.com/data/vulnerabilities/exploits/25864.pl http://www.vupen.com/english/advisories/2007/3314 https://exchange.xforce.ibmcloud.com/vulnerabilities/36871 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2006-7112 – MDPro 1.0.76 - 'Cookie PNSVlang' Local File Inclusion
https://notcve.org/view.php?id=CVE-2006-7112
Directory traversal vulnerability in error.php in MD-Pro 1.0.76 and earlier allows remote authenticated users to read and include arbitrary files via the PNSVlang cookie, as demonstrated by uploading a GIF image using AddDownload or injecting PHP code into a log file, then accessing it. Vulnerabilidad de salto de directorio en error.php de MD-Pro 1.0.76 y anteriores permite a usuarios autenticados remotamente leer e incluir archivos de su elección a través de la cookie PNSVlang, como se ha demostrado enviando una imagen GIF utilizando AddDownload o inyectando código PHP en un archivo de registro , y después accediendo a él. • https://www.exploit-db.com/exploits/2712 http://www.securityfocus.com/bid/20912 https://exchange.xforce.ibmcloud.com/vulnerabilities/30026 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2007-0623 – MDPro 1.0.76 - 'index.php' SQL Injection
https://notcve.org/view.php?id=CVE-2007-0623
SQL injection vulnerability in index.php in MAXdev MDPro 1.0.76 allows remote attackers to execute arbitrary SQL commands via the startrow parameter. Vulnerabilidad de inyección SQL en index.php de MAXdev MDPro 1.0.76 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro startrow. • https://www.exploit-db.com/exploits/29537 http://osvdb.org/33011 http://osvdb.org/33612 http://secunia.com/advisories/23948 http://securityreason.com/securityalert/2198 http://www.securityfocus.com/archive/1/458438/100/0/threaded http://www.securityfocus.com/bid/22293 http://www.vupen.com/english/advisories/2007/0412 https://exchange.xforce.ibmcloud.com/vulnerabilities/31897 •
CVE-2007-0624
https://notcve.org/view.php?id=CVE-2007-0624
user.php in MAXdev MDPro 1.0.76 allows remote attackers to obtain the full path via a ' (quote) character, and possibly other invalid values, in the uname parameter in a userinfo operation. user.php en el MAXdev MDPro 1.0.76 permite a atacantes remotos obtener la ruta (path) completa mediante la inclusión de una ' (comilla) y, posiblemente, otros valores no válidos, en el parámetro uname en la operación userinfo. • http://osvdb.org/33613 http://securityreason.com/securityalert/2198 http://www.securityfocus.com/archive/1/458438/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/31898 •