Network Security News Monitor - Friday, April 14, 2006 Events

Manila msgReader mode Variable XSS

Manila contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'mode' variable upon submission to the msgReader script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more.

NetBSD Intel Hardware RNG Failure Encryption Weakness

NetBSD contains a flaw that may reduce the quality of random numbers used when encrypting data. The issue is triggered by incorrectly detecting the presence of Intel's 'pchb' random number generator when it is not in fact present. It is possible that the flaw may allow a reduction of quality of random data used by encryption mechanisms resulting in a loss of confidentiality.. Read more.

Cherokee Web Server Error 400 XSS

Cherokee contains a flaw that allows a remote cross site scripting attack. This flaw exists because the server does not validate user-supplied input when non-existant URLs with embedded scripting code are requested. This could allow an attacker to create a specially crafted URL that would not be understood by the web server and result in a 400 Error page, enabling them to execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more.