Network Security News – Monday, July 31, 2006 Events
Dokeos Multiple Unspecified XSS
Dokeos contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variable(s) upon submission to unspecified script(s). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/27586
Codewalkers PHP Event Calendar calendar.php id Variable SQL Injection
PHP Event Calendar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/27539
Wheatblog view_links.php wb_inc_dir Variable Remote File Inclusion (Myth/Fake)
Wheatblog has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the view_links.php script not properly sanitizing user input supplied to the 'wb_inc_dir' variable. However, subsequent evaluation by multiple researchers indicate that a user does not have the ability to manipulate input to the variable as reported.. Read more at osvdb.org/27596