Network Security News – Tuesday, March 14, 2006 Events
WMNews wmcomments.php ArtID Variable XSS
WMNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'ArtID' variable upon submission to the wmcomments.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23842
WMNews footer.php ctrrowcol Variable XSS
WMNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'ctrrowcol' variable upon submission to the footer.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23841
WMNews wmview.php ArtCat Variable XSS
WMNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'ArtCat' variable upon submission to the wmview.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23840
Dwarf HTTP Crafted Request Script Source Disclosure
Dwarf HTTP contains a flaw that may lead to an unauthorized information disclosure. Өe issue is triggered when a remote attacker makes a specially crafted request using dot, space, slash and NULL characters which will disclose script source code resulting in a loss of confidentiality.. Read more at osvdb.org/23836
Dwarf HTTP Error Message XSS
Dwarf HTTP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input upon submission to the server via the URL, which is displayed via the error page. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23837
QwikiWiki index.php Multiple Variable XSS
Qwikiwiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'from', or 'help' variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23786
QwikiWiki login.php Multiple Variable XSS
Qwikiwiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'action', 'page', 'debug', 'help', 'username' or 'password' variables upon submission to the login.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23787
QwikiWiki pageindex.php help Variable XSS
Qwikiwiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'help' variables upon submission to the pageindex.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23788
JiRos Banner System Professional addadmin.asp Unauthenticated Privileged Account Creation
JiRos Banner System Professional contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is caused by a failure in the application to properly perform authentication before granting administrator access. By making a direct request to the addadmin.asp script, an unauthenticated user may create a new account and set any privileges (including administrative).. Read more at osvdb.org/23780
Leave a Reply