Network Security News Monitor - Thursday, March 02, 2006 Events

DirectContact Server Traversal Arbitrary File Access

DirectContact contains a flaw that allows a remote attacker to read the contents of arbitrary files outside of the web path. The issue is due to DirectContact not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied to the server.. Read more.

bttlxeForum failure.asp err_txt Variable XSS

bttlxeForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'err_txt' variable upon submission to the 'failure.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more.

LanSuite LanParty Intranet System index.php fid Variable SQL Injection

LanSuite contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'fid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more.