Network Security News – Thursday, May 12, 2005 Events
Quick.Cart index.php iCategory Variable SQL Injection
Quick.Cart contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'iCategory' variable in the 'index.php' script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.. Read more at osvdb.org/16331
Quick.Cart index.php sWord Variable XSS
Quick.Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'sWord' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/16330
Quick.Forum /db/ Directory Information Disclosure
Quick.Forum contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote user directly calls any one of the numerous files located in '/db/' directory. These files may disclose such information as all banned IP addresses, usernames of the forum and all censored words resulting in a loss of confidentiality.. Read more at osvdb.org/16328
Quick.Forum Backup Database Disclosure
Quick.Forum contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote user directly calls the backup database file, which will disclose the backup archive of the forum¦s database information resulting in a loss of confidentiality.. Read more at osvdb.org/16329
Quick.Forum index.php Multiple Variable SQL Injection
Quick.Forum contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'iCategory' and 'page' variables in the 'index.php' script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.. Read more at osvdb.org/16326
Quick.Forum index.php newTopic Variable XSS
Quick.Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'topic' field upon submission to the 'index.php' script. This could allow a user to create a specially crafted code in 'topic' field that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/16327
NukeScripts NukeSentinel URL Encoding Filter Bypass
NukeScripts NukeSentinel contains a flaw related to the URL encoding filtering that may allow an attacker to bypass security restrictions. No further details have been provided.. Read more at osvdb.org/16215
Arkeia Network Backup Client Default Password
By default, Arkeia Network Backup Client installs with a default password. The root account has a password of 'root' which is publicly known and documented. This allows attackers to trivially access the program or system.. Read more at osvdb.org/15130
distcc Daemon Command Execution
distcc contains a flaw that may allow a malicious user to execute arbitrary commands. distcc does not perform any authentication or authorization of connections, and instead relies on 3rd party access controls. It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.. Read more at osvdb.org/13378
Solaris in.lpd Arbitrary Local Command Execution
Solaris contains a flaw that may allow a malicious user to execute arbitrary commands. The issue is triggered when a specially crafted request is sent to the LPD daemon. It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.. Read more at osvdb.org/15131
Apple QuickTime Quartz Composer File Information Disclosure Vulnerability
QuickTime Player is the media player distributed by Apple for QuickTime as well as other media files. It has been reported that QuickTime is affected by a vulnerability…. Read more at securityfocus.com/bid/13603?ref=rss
Leave a Reply