Network Security News – Sunday, January 08, 2006 Events
pinentry on Gentoo Linux Installation Permission Weakness
pinentry on Gentoo Linux contains a flaw that may allow a malicious user to access files with unauthorised privileges. The issue is present because pinentry is installed as SGID root. This may result in a loss of confidentiality and/or integrity.. Read more at osvdb.org/22211
Revize CMS query_input.jsp webspace Variable SQL Injection
Revize CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the query_input.jsp script not properly sanitizing user-supplied input to the 'webspace' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/20920
ADN Forum crear.php Topic Field XSS
ADN Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the topic variable upon submission to the 'crear.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/22242
Foro Domus escribir.php email Variable SQL Injection
Foro Domus contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the escribir.php script not properly sanitizing user-supplied input to the 'email' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/22264
Aquifer CMS Index.asp Keyword Variable XSS
Aquifer CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Keyword' variable upon submission to the 'Public/Index.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/22247
Foro Domus escribir.php email Variable XSS
Foro Domus contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'email' variable upon submission to the escribir.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/22263
rxvt-unicode non-unix pty TTY Device Permission Weakness
rxvt-unicode contains a flaw that may allow an unauthorised malicious user to read from or write to tty terminal devices. The issue is present because on systems with non-unix pseudo terminals, permissions were not updated correctly. This left them as world-writable and world-readable, resulting in a loss of confidentiality and integrity.. Read more at osvdb.org/22223
AlstraSoft Affiliate Network Pro admin_options_manage.php Arbitrary Command Injection
Affliate Network Pro contains a flaw that may allow an attacker to inject arbitrary commands. The issue is due to the admin_options_manage.php script not properly sanitizing user-supplied input to the 'number' variable. Read more at osvdb.org/20890
Leave a Reply