Best Security Research
|»||netVigilance is an active contributor to nvd.nist.gov
|»||Every vulnerability in our database is independently scored according to CVSS 2.0
|»||Our Scoring is compared to nvd.nist.gov and inconsistencies are reported to the NVD team at NIST
netVigilance is responsible for more than 400 changes to the National Vulnerability Database - more than anyone else.
|»||Our Professional Services team will validate any vulnerability Scoring for you.
Fact: More than 15 vulnerabilities were discovered EVERY day of 2009
WSPortal is a site management system coded in PHP/MySQL. It is capable of adding pages, adding news to pages, adding images to news articles, alerting the site or a specific ip address, private messaging system between administrators.
Successful exploitation requires PHP magic_quotes_gpc set to OFF.
Mitre CVE: CVE-2007-3127
NVD NIST: CVE-2007-3127
WSPortal is a site management system coded in PHP/MySQL.
Security problem in the product allows attackers to gather the true path of the server-side script.
June 17 2007
Access Vector: Remote
Access Complexity: Low
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.3
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
Vulnerability Impact: Attack
Host Impact: Path disclosure.
SecureScout Testcase ID:
WSPortal version 1.0
Program flaws - The product scripts have flaws which lead to Warnings or even Fatal Errors.
The Vendor has been notified several times on many different email addresses last on 6 June 2007. The Vendor has not responded. There is no official fix at the release of this Security Advisory.
Set display_errors = Off (php.ini file) or set magic_quotes_gpc = On (php.ini file).
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>[DISCLOSED PATH][WSPORTAL-DIRECTORY]\content.php</b> on line <b>67</b><br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>[DISCLOSED PATH][WSPORTAL-DIRECTORY]\content.php</b> on line <b>76</b><br />