PHP-Fusion submit.php Multiple Variable XSS

Network Security News – Saturday, July 02, 2005 Events

PHP-Fusion submit.php Multiple Variable XSS

PHP-Fusion contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate news_body, article_description, and article_body variables upon submission to the submit.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/17611

Comdev News Publisher wce.editnews.php s_type Variable XSS

Comdev News Publisher contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 's_type' variable upon submission to the wce.editnews.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. This flaw requires administrative access to exploit.. Read more at osvdb.org/17651

Golden FTP Server Pro LS Command Traversal Information Disclosure

Golden FTP Server Pro contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered due to an input validation error in the handling of the LS command. By changing directory to a share and then passing "\.." as an argument to the LS command, it will disclose the contents of the application directory (e.g. containing files with names of valid users) resulting in a loss of confidentiality.. Read more at osvdb.org/17678

Golden FTP Server Pro Nonexistant File Request Path Disclosure

Golden FTP Server Pro contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by changing to a share directory and then attempting to retrieve a non-existant file, which will disclose the absolute path of a share resulting in a loss of confidentiality.. Read more at osvdb.org/17679

Microsoft Site Server driver.asp Information Disclosure

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure. Өe issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'driver.asp' script, which will disclose installed ODBC drivers resulting in a loss of confidentiality.. Read more at osvdb.org/17654

Microsoft Site Server domain.asp Information Disclosure

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure. Өe issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'domain.asp' script, which will disclose the server's involved domain names resulting in a loss of confidentiality.. Read more at osvdb.org/17653

Microsoft Site Server findserver.asp Information Disclosure

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure. Өe issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'findserver.asp' script, which will disclose installed Site Server components resulting in a loss of confidentiality.. Read more at osvdb.org/17652

Microsoft Site Server DSN.asp Information Disclosure

Microsoft Site Server contains a flaw that may lead to an unauthorized information disclosure. Өe issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'DSN.asp' script, which will disclose the Data Source Names (DSN) for selected ODBC drivers resulting in a loss of confidentiality.. Read more at osvdb.org/17655

Microsoft Site Server UserManager.asp Arbitrary LDAP Modification

Microsoft Site Server contains a flaw that may allow a remote attacker to arbitrarily modify the LDAP configuration. The issue is triggered when using the 'LDAP_Anonymous' account and accessing the 'UserManager.asp' script, which may allow a remote attacker to arbitrarily create, modify and/or delete LDAP users resulting in a loss of integrity.. Read more at osvdb.org/17657

Microsoft Site Server LDAP_Anonymous Account Default Password

By default, Microsoft Site Server installs with a default password. The 'LDAP_Anonymous' account has a password of 'LdapPassword_1' which is publicly known and documented. This allows attackers to trivially access the system.. Read more at osvdb.org/831

Vuln: XML-RPC for PHP Remote Code Injection Vulnerability

XML-RPC for PHP Remote Code Injection Vulnerability. Read more at securityfocus.com/bid/14088

Vuln: OpenLDAP TLS Plaintext Password Vulnerability

OpenLDAP TLS Plaintext Password Vulnerability. Read more at securityfocus.com/bid/14125

Vuln: PADL Software PAM_LDAP TLS Plaintext Password Vulnerability

PADL Software PAM_LDAP TLS Plaintext Password Vulnerability

. Read more at securityfocus.com/bid/14126

Vuln: OSTicket Multiple Input Validation Vulnerabilities

OSTicket Multiple Input Validation Vulnerabilities. Read more at securityfocus.com/bid/14127

/dev/random is probably not

/dev/random is probably not. Read more at securityfocus.com/archive/1/403986

TSLSA-2005-0031 – multi

TSLSA-2005-0031 – multi. Read more at securityfocus.com/archive/1/403989

[SECURITY ALERT] osTicket bugs

[SECURITY ALERT] osTicket bugs

. Read more at securityfocus.com/archive/1/403990

PHPXMLRPC Remote Code Execution

PHPXMLRPC Remote Code Execution. Read more at securityfocus.com/archive/1/403987