CVE-2006-6112
https://notcve.org/view.php?id=CVE-2006-6112
LifeType 1.0.x and 1.1.x have insufficient access control for all of the PHP scripts under (1) class/ and (2) plugins/, which allows remote attackers to obtain the installation path via a direct request to any of the scripts, as demonstrated by (a) bayesianfilter.class.php and (b) bootstrap.php, which leaks the path in an error message. LifeType 1.0.x y 1.1.x tiene control de acceso insuficiente para todas las secuencias de comandos PHP bajo (1) class/ y (2) plugins/, lo cual permite a atacantes remotos obtener la ruta de instalación mediante una petición directa a alguna de las secuencias de comandos, como ha sido demostrado por (a) bayesianfilter.class.php y (b) bootstrap.php, lo cual filtra la ruta en un mensaje de error. • http://securityreason.com/securityalert/1980 http://www.lifetype.net/blog.php/lifetype-development-journal/2006/11/30/full_path_disclosure_vulnerability_in_lifetype_1.0.x_and_1.1.x http://www.netvigilance.com/advisory0008 http://www.osvdb.org/30685 http://www.securityfocus.com/archive/1/453135/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/30635 •
CVE-2006-3577 – LifeType 1.0.5 - 'index.php?Date' SQL Injection
https://notcve.org/view.php?id=CVE-2006-3577
SQL injection vulnerability in index.php in LifeType 1.0.5 allows remote attackers to execute arbitrary SQL commands via the Date parameter in a Default op. Vulnerabilidad de inyección SQL en index.php en LifeType 1.0.5 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro Date en una operación Default. • https://www.exploit-db.com/exploits/28166 http://downloads.securityfocus.com/vulnerabilities/exploits/LifeType105SQLInjJuly052006.pl http://www.securityfocus.com/bid/18835 •
CVE-2006-2857 – LifeType 1.0.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2006-2857
SQL injection vulnerability in index.php in LifeType 1.0.4 allows remote attackers to execute arbitrary SQL commands via the articleId parameter in a ViewArticle action (viewarticleaction.class.php). • https://www.exploit-db.com/exploits/1874 http://secunia.com/advisories/20460 http://securityreason.com/securityalert/1046 http://www.lifetype.net/blog.php/lifetype_development_journal/2006/06/04/important_security_upgrade_lifetype_1.0.5_released http://www.securityfocus.com/archive/1/435874/100/0/threaded http://www.securityfocus.com/bid/18264 http://www.vupen.com/english/advisories/2006/2120 https://exchange.xforce.ibmcloud.com/vulnerabilities/26916 •
CVE-2006-1808 – LifeType 1.0.3 - 'index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-1808
Cross-site scripting (XSS) vulnerability in index.php in Lifetype 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the show parameter in a Template operation. • https://www.exploit-db.com/exploits/27646 http://secunia.com/advisories/19646 http://securitytracker.com/id?1015941 http://www.securityfocus.com/archive/1/431008/100/0/threaded http://www.securityfocus.com/bid/17529 http://www.vupen.com/english/advisories/2006/1367 https://exchange.xforce.ibmcloud.com/vulnerabilities/25899 •
CVE-2006-1809
https://notcve.org/view.php?id=CVE-2006-1809
index.php in Lifetype 1.0.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which reveals the path in an error message. • http://securityreason.com/securityalert/711 http://securitytracker.com/id?1015941 http://www.securityfocus.com/archive/1/431008/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/25903 •