Network Security News – Friday, February 17, 2006 Events
Clever Copy Private Message Subject Field XSS
Clever Copy contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Subject' variable upon submission to the privatemessages.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23235
Plume CMS prepend.php _PX_config[manager_path] Variable Remote File Inclusion
Plume CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to prepend.php not properly sanitizing user input supplied to the "_PF_CONFIG['manager_path']" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23204
@Mail Webmail Message HTML Image Tag XSS
@Mail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate message HTML image tags upon submission to an email message. This could allow a user to create a specially crafted email that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23236
dotProject /modules/tasks/gantt.php baseDir Variable Remote File Inclusion
dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /modules/tasks/gantt.php not properly sanitizing user input supplied to the 'baseDir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23219
dotProject /modules/public/date_format.php baseDir Variable Remote File Inclusion
dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /modules/public/date_format.php not properly sanitizing user input supplied to the 'baseDir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23218
dotProject /modules/public/calendar.php baseDir Variable Remote File Inclusion
dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /modules/public/calendar.php not properly sanitizing user input supplied to the 'baseDir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23217
dotProject /modules/admin/vw_usr_roles.php baseDir Variable Remote File Inclusion
dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /modules/admin/vw_usr_roles.php not properly sanitizing user input supplied to the 'baseDir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23216
dotProject /modules/projects/vw_files.php dPconfig[root_dir] Variable Remote File Inclusion
dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /modules/projects/vw_files.php not properly sanitizing user input supplied to the 'dPconfig[root_dir]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23215
dotProject /modules/projects/gantt2.php dPconfig[root_dir] Variable Remote File Inclusion
dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /modules/projects/gantt2.php not properly sanitizing user input supplied to the 'dPconfig[root_dir]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23214
dotProject /modules/projects/gantt.php dPconfig[root_dir] Variable Remote File Inclusion
dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /modules/projects/gantt.php not properly sanitizing user input supplied to the 'dPconfig[root_dir]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/23213
Leave a Reply