Network Security News – Thursday, March 02, 2006 Events
DirectContact Server Traversal Arbitrary File Access
DirectContact contains a flaw that allows a remote attacker to read the contents of arbitrary files outside of the web path. The issue is due to DirectContact not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied to the server.. Read more at osvdb.org/23519
bttlxeForum failure.asp err_txt Variable XSS
bttlxeForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'err_txt' variable upon submission to the 'failure.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23540
LanSuite LanParty Intranet System index.php fid Variable SQL Injection
LanSuite contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'fid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/23533
Leave a Reply