This host is running Open Business Management and is prone to multiple vulnerabilities.
Successful exploitation will allow the attacker to cause SQL injection attack, gain sensitive information and execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. Impact Level: Application
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Multiple vulnerabilities due to, - Improper access restrictions to the 'test.php' script allowing attackers to obtain configuration information via a direct request to test.php, which calls the phpinfo function. - Input passed via the 'sel_domain_id' and 'action' parameters to 'obm.php' is not properly sanitised before being used in SQL queries. - Input passed via the 'tf_user' parameter to group/group_index.php and 'tf_name', 'tf_delegation', and 'tf_ip' parameters to host/host_index.php is not properly sanitised before being used in SQL queries. - Input passed to the 'tf_name', 'tf_delegation', and 'tf_ip' parameters in index.php, 'login' parameter in obm.php, and 'tf_user' parameter in group/group_index.php is not properly sanitised before being returned to the user.
Open Business Management (OBM) 2.4.0-rc13 and prior
CVE CVE-2011-5141, CVE-2011-5142, CVE-2011-5143, CVE-2011-5144, CVE-2011-5145
CVSS Base Score: 6.0
- Apache HTTP Server 'mod_proxy' Reverse Proxy Information Disclosure Vulnerability
- Apache Tomcat Request Object Security Bypass Vulnerability (Win)
- Herberlin Bremsserver Directory Traversal Vulnerability
- JServ Cross Site Scripting
- Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability