Network Security News – Saturday, July 09, 2005 Events
XML-RPC for PHP (PHPXMLRPC) parseRequest() Function Arbitrary PHP Code Execution
XML-RPC९rψP�HPXMLRPC) contains a flaw that may allow a remote attacker to execute arbitrary PHP code. The issue is due to the 'parseRequest()' function not properly sanitizing user-supplied input. By creating an XML file that uses single quotes to escape into the 'eval()' call, a remote attacker can execute arbitrary PHP code resulting in a loss of integrity.. Read more at osvdb.org/17793
Xerox WorkCentre Unspecified Authentication Bypass
Xerox WorkCentre contains an unspecified flaw that may allow a malicious user to bypass authentication. No further details have been provided.. Read more at osvdb.org/17765
Xerox WorkCentre Crafted HTTP Request DoS
Xerox WorkCentre contains a flaw that may allow a remote denial of service. The issue is triggered when specially constructed HTTP requests are sent to the embedded web server, and will result in loss of availability for the device.. Read more at osvdb.org/17766
AutoIndex PHP Script index.php search Variable XSS
Autoindex PHP script contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "search" variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/17753
Covide Groupware-CRM User ID SQL Injection
Covide Groupware-CRM contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to a script not properly sanitizing user-supplied input to the 'User ID' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/17752
pngcntrp kaiseki.cgi Arbitrary Command Execution
pngcntrp contains a flaw that may allow a malicious user to execute arbitrary commands. This flaw exists because the application does not validate input upon submission to the kaiseki.cgi script It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.. Read more at osvdb.org/17784
MediaWiki Page Move Template XSS
MediaWiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate an unspecified parameter upon submission to the page move template. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/17763
Microsoft IE PNG Image Processing Arbitrary Code Execution
A remote overflow exists in Windows. Internet Explorer fails to validate PNG files resulting in a buffer overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.. Read more at osvdb.org/17313
Multiple Unix Vendor rlogin -froot Remote Authentication Bypass
The rlogin command of multiple Unix vendor contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is triggered when using the '-froot' parameter, which allows a remote attacker to gain root access on a system without being prompted for a password resulting in a loss of integrity.. Read more at osvdb.org/1007
Leave a Reply