Network Security News – Tuesday, August 23, 2005 Events
phpPgAds / phpAdsNew lib-view-direct.inc.php clientid Variable SQL Injection
phpPgAds / phpAdsNew contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the lib-view-direct.inc.php script not properly sanitizing user-supplied input to the 'clientid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/18888
phpPgAds / phpAdsNew adlayer.php layerstyle Variable Traversal Arbitrary File Access
phpPgAds / phpAdsNew contains a flaw that allows a remote attacker to read files outside of the web path. The issue is due to the adlayer.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'layerstyle' variable.. Read more at osvdb.org/18886