Network Security News – Sunday, October 16, 2005 Events
Utopia News Pro news.php newsid Variable SQL Injection
Utopia News Pro contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'news.php' script not properly sanitizing user-supplied input to the 'newsid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/19942
Utopia News Pro header.php sitetitle Variable XSS
Utopia News Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'sitetitle' variable upon submission to the 'header.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/19940
Utopia News Pro footer.php Multiple Variable XSS
Utopia News Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'version' and 'query_count' variables upon submission to the 'footer.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/19941
Cyphor footer.php t_login Variable XSS
Cyphor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 't_login' variable upon submission to the 'footer.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/19946
Cyphor lostpwd.php nick Field SQL Injection
Cyphor contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'lostpwd.php' script not properly sanitizing user-supplied input to the 'nick' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/19943
Cyphor newmsg.php fid Variable SQL Injection
Cyphor contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'newmsg.php' script not properly sanitizing user-supplied input to the 'fid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/19944
Cyphor newmsg.php fid Variable XSS
Cyphor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'fid' variable upon submission to the 'newmsg.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/19945
Leave a Reply