This host is installed with TeamPass and is prone to multiple vulnerabilities.

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site and manipulate SQL queries by injecting arbitrary SQL code. Impact Level: Application

Upgrade to TeamPass 2.1.20 or later, For updates refer to http://www.teampassword.com

Multiple flaws are due to, - An Input passed via the 'language' GET parameter to index.php is not properly verified before being used to include files. - An error within the authentication mechanism can be exploited to access to otherwise restricted scripts and subsequently e.g. execute arbitrary PHP code by uploading a malicious PHP script. - Input passed via the 'login' POST parameter to sources/main.queries.php (when 'type' is set to 'send_pw_by_email' or 'generate_new_password') is not properly sanitised before being used in SQL queries. - Certain input passed to datatable.logs.php and to multiple scripts in sources/datatable/ is not properly sanitised before being used in SQL queries. - Input passed via the 'group' and 'id' GET parameters to items.php (when both are set) is not properly sanitised before being returned to the user.

TeamPass varsion 2.1.19 and prior.

Send a crafted request via HTTP GET and check whether it is able to bypass security or not.

• http://secunia.com/advisories/58260
• http://www.openwall.com/lists/oss-security/2014/05/18/2
• http://www.openwall.com/lists/oss-security/2014/05/19/5

---

Updated on 2015-03-25