Survey Wizard survey.php sid Variable SQL Injection

Network Security News – Monday, November 28, 2005 Events

Survey Wizard survey.php sid Variable SQL Injection

Survey Wizard contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'survey.php' script not properly sanitizing user-supplied input to the 'sid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21104

AgileBill index.php id Variable SQL Injection

AgileBill contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21103

IsolSoft Support Center search.php Multiple Variable SQL Injection

Support Center contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the "lorder", "Priority", "Status", "Category", "searchvalue", and "field" variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21102

AlstraSoft Affiliate Network Pro index.php Act Variable XSS

Affiliate Network Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "firstname" and "lastname" variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/20892

phpWordPress index.php Multiple Variable SQL Injection

phpWordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the "poll", "category", and "ctg" variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21110

SpeedProject Multiple Product ZIP/UUE Archive File Pathname Overflow

A local overflow exists in SpeedCommander, Squeez, and ZipStar. The products fail to safely use the "lstrcat()" function in the "CxZIP60.dll", "CxZIP60u.dll", "CxUux60.dll", "CxUux60u.dll" modules while processing filename pathnames resulting in a stack-based overflow. With a specially crafted archive, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.. Read more at osvdb.org/21073

ActiveCampaign SupportTrio index.php page Variable Local File Inclusion

SupportTrio contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php' not properly sanitizing user input supplied to the 'page' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/21101

AlstraSoft Affiliate Network Pro /admin/index.php Err Variable XSS

Affiliate Network Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "Err" variable upon submission to the /admin/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/20891

ActiveCampaign KnowledgeBuilder index.php category Variable Path Disclosure

KnowledgeBuilder contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker passes input to the 'category' parameter in the 'index.php' script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.. Read more at osvdb.org/21097

Ekinboard profile.php id Variable XSS

Ekinboard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "id" variable upon submission to the profile.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/20844

Vuln: Microsoft Windows MSDTC Memory Corruption Vulnerability

Microsoft Windows MSDTC Memory Corruption Vulnerability. Read more at securityfocus.com/bid/15056