Network Security News – Wednesday, August 24, 2005 Events
PHPFreeNews SearchResults.php Multiple Variable XSS
PHPFreeNews contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Match' and 'CatID' variables upon submission to the 'SearchResults.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/18852
LM Sensors /tmp/fancontrol Symlink Arbitrary File Overwrite
lm_sensors contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by the pwmconfig script, which creates the temporary file "/tmp/fancontrol" insecurely when saving the configuration. This can allow the user to creat or overwrite arbitrary files with the privileges of the user invoking the vulnerable script via a well timed symlink. This flaw may lead to a loss of availability and integrity.. Read more at osvdb.org/18905