H-Sphere psoft.hsphere.CP Multiple Variable XSS

Network Security News – Monday, July 03, 2006 Events

H-Sphere psoft.hsphere.CP Multiple Variable XSS

H-Sphere contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'next_template', 'start', 'curr_menu_id' and 'arid' variables upon submission to the psoft.hsphere.CP script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/26863

ActivePerl sitecustomize.pl Local Privilege Escalation

ActiveState ActivePerl contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the attacker creates a malicious 'sitecustomize.pl' file in the 'site/lib' directory. This flaw may lead to a loss of integrity.. Read more at osvdb.org/25974

MyBulletinBoard (MyBB) Unspecified SQL Injection

MyBulletinBoard (MyBB) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to an unspecified script not properly sanitizing user-supplied input to an unspecified variable during a SQL query. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/26811

PHP error_log() Third Argument Safe Mode Bypass

PHP contains a flaw that may allow a malicious user to bypass the safe mode protection. The issue is triggered when error_log() function fails to validate the 'destination' variable. It is possible that the flaw may allow local users to bypass safe mode resulting in a loss of confidentiality and integrity.. Read more at osvdb.org/26827

Qdig index.php Multiple Variable XSS

Qdig contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'pre_gallery' and 'post_gallery' variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/26828

GL-SH Deaf Forum show.php Multiple Variable XSS

GL-SH Deaf Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'sort', 'search', 'page', and 'action' variables upon submission to the show.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/26804

Bee-hive Lite conad/logout.inc.php mysqlCall Variable Remote File Inclusion

Bee-hive Lite contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /conda/logout.inc.php script not properly sanitizing user input supplied to the 'mysqlCall' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/26820

Bee-hive Lite conad/login.inc.php mysqlCall Variable Remote File Inclusion

Bee-hive Lite contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /conad/login.inc.php script not properly sanitizing user input supplied to the 'mysqlCall' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/26819

Bee-hive Lite conad/include/rootGui.inc.php header Variable Remote File Inclusion

Bee-hive Lite contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /conad/include/rootGui.inc.php script not properly sanitizing user input supplied to the 'header' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/26815

Bee-hive Lite conad/include/mysqlCall.inc.php config Variable Remote File Inclusion

Bee-hive Lite contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the mysqlCall.inc.php script not properly sanitizing user input supplied to the 'config' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.. Read more at osvdb.org/26821