This CPE summary could be partial or incomplete. Please contact us for a detailed listing.


Vendor Xlinesoft First view 2006-11-16
Product Phprunner Last view 2009-03-19
Version 3.1 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
CPE Product cpe:2.3:a:xlinesoft:phprunner

Activity : Overall

Related : CVE

  Date Alert Description
5 2009-03-19 CVE-2009-0964

UserView_list.php in PHPRunner 4.2, and possibly earlier, stores passwords in cleartext in the database, which allows attackers to gain privileges. NOTE: this can be leveraged with a separate SQL injection vulnerability to obtain passwords remotely without authentication.

7.5 2009-03-19 CVE-2009-0963

Multiple SQL injection vulnerabilities in PHPRunner 4.2, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the SearchField parameter to (1) UserView_list.php, (2) orders_list.php, (3) users_list.php, and (4) Administrator_list.php.

2.1 2006-11-16 CVE-2006-5956

XLineSoft PHPRunner 3.1 stores the (1) database server name, (2) database names, (3) usernames, and (4) passwords in plaintext in %WINDIR%\PHPRunner.ini, which allows local users to obtain sensitive information by reading the file.

CWE : Common Weakness Enumeration

50% (1) CWE-255 Credentials Management
50% (1) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...

CAPEC : Common Attack Pattern Enumeration & Classification

id Name
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-37 Lifting Data Embedded in Client Distributions
CAPEC-65 Passively Sniff and Capture Application Code Bound for Authorized Client
CAPEC-117 Data Interception Attacks
CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-157 Sniffing Attacks
CAPEC-167 Lifting Sensitive Data from the Client
CAPEC-204 Lifting cached, sensitive data embedded in client distributions (thick or thin)
CAPEC-205 Lifting credential(s)/key material embedded in client distributions (thick or...
CAPEC-258 Passively Sniffing and Capturing Application Code Bound for an Authorized Cli...
CAPEC-259 Passively Sniffing and Capturing Application Code Bound for an Authorized Cli...
CAPEC-260 Passively Sniffing and Capturing Application Code Bound for an Authorized Cli...

Open Source Vulnerability Database (OSVDB)

id Description
52804 PHPRunner UserView_list.php Database Cleartext Password Disclosure
52801 PHPRunner Administrator_list.php SearchField Parameter SQL Injection
52800 PHPRunner users_list.php SearchField Parameter SQL Injection
52799 PHPRunner orders_list.php SearchField Parameter SQL Injection
52798 PHPRunner UserView_list.php SearchField Parameter SQL Injection
30363 PHPRunner PHPRunner.ini Database Credential Local Cleartext Disclosure