Monthly Archive: April 2005

Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when using the netpbm library, allows remote attackers to execute arbitrary code via a PNM file with large width and height values, which...

Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the comments. Date published : 2005-04-16 http://www.securityfocus.com/bid/13192 http://www.securityfocus.com/archive/1/395988

Opera 8 Beta 3, when using first-generation vetted digital certificates, displays the Organizational information of an SSL certificate, which is easily spoofed and can facilitate phishing attacks. Date published : 2005-04-16 http://www.securityfocus.com/bid/13176 http://www.geotrust.com/resources/advisory/sslorg/index.htm

Unknown vulnerability in WebMail in Kerio MailServer before 6.0.9 allows remote attackers to cause a denial of service (CPU consumption) via certain e-mail messages. Date published : 2005-04-16 http://www.kerio.com/kms_history.html http://securitytracker.com/id?1013708

Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to obtain sensitive information via a direct request to sb_functions.php, which leaks the full pathname in a PHP error message. Date published : 2005-04-16 http://marc.info/?l=bugtraq&m=111359320312609&w=2 http://echo.or.id/adv/adv12-y3dips-2005.txt

Simple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) config.txt files under the web document root, which allows remote attackers to obtain sensitive information and crack passwords via a direct request to...

Cross-site scripting (XSS) vulnerability in search.php for Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter. Date published : 2005-04-16 http://www.securityfocus.com/bid/13170 http://marc.info/?l=bugtraq&m=111359320312609&w=2

SQL injection vulnerability in exit.php for Serendipity 0.8 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) url_id or (2) entry_id parameters. Date published : 2005-04-16 http://www.securityfocus.com/bid/13161 http://seclists.org/lists/bugtraq/2005/Apr/0195.html

The POP3 server in IBM iSeries AS/400 returns different error messages when the user exists or not, which allows remote attackers to determine valid user IDs on the server. Date published : 2005-04-16 http://www.securityfocus.com/bid/13156...

LG U8120 mobile phone allows remote attackers to cause a denial of service (device crash) via a malformed MIDI file. Date published : 2005-04-16 http://www.securityfocus.com/bid/13154 http://www.securityfocus.com/archive/1/395714

Unknown vulnerability in Veritas i3 Focalpoint Server 7.1 and earlier has unknown attack vectors and unknown but "critical" impact. Date published : 2005-04-16 http://www.securityfocus.com/bid/13142 http://seer.support.veritas.com/docs/276119.htm

Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart allows remote attackers to inject arbitrary web script or HTML via the pg parameter. Date published : 2005-04-16 http://www.securityfocus.com/bid/13138 http://systemsecure.org/board/index.php?showtopic=8

eGroupWare 1.0.6 and earlier, when an e-mail is composed with an attachment but not sent, will send that attachment in the next e-mail, which may cause sensitive information to be sent to the wrong...

Multiple SQL injection vulnerabilities in VHCS 2.4 and earlier allow remote attackers to execute arbitrary SQL commands via certain inputs from HTTP POST queries. Date published : 2005-04-16 http://www.osvdb.org/15541 http://securitytracker.com/id?1013703