Monthly Archive: August 2005

index.php for My Image Gallery (Mig ) 1.4.1 allows remote attackers to obtain the web server path via certain currDir and image arguments, which leaks the path in an error message. Date published :...

Cross-site scripting (XSS) vulnerability in index.php for My Image Gallery (Mig ) 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the (1) currDir or (2) image parameters. Date published :...

Mozilla Thunderbird 1.0 and Firefox 1.0.6 allows remote attackers to obfuscate URIs via a long URI, which causes the address bar to go blank and could facilitate phishing attacks. Date published : 2005-08-17 http://www.securityfocus.com/bid/14526...

SQL injection vulnerability in MidiCart allows remote attackers to execute arbitrary SQL commands via the code_no parameter to (1) Item_Show.asp or (2) search_list.asp. Date published : 2005-08-17 http://www.securityfocus.com/bid/14544 http://systemsecure.org/ssforum/viewtopic.php?t=30

FUDForum 2.6.15 with "Tree View" enabled, as used in other products such as phpgroupware and egroupware, allows remote attackers to read private posts via a modified mid parameter. Date published : 2005-08-17 http://www.securityfocus.com/bid/14556 http://www.debian.org/security/2005/dsa-798

Hummingbird FTP for Connectivity 10.0 uses weak encryption (trivial encoding) to store the user’s password in the FTP profile, which allows attackers to gain privileges. Date published : 2005-08-17 http://www.securityfocus.com/bid/14559 http://archives.neohapsis.com/archives/bugtraq/2005-08/0219.html

Multiple directory traversal vulnerabilities in Dokeos 1.6 and earlier, and possibly Claroline, allow remote attackers to (1) delete arbitrary files or directories via the delete parameter to claroline/scorm/scormdocument.php, (2) move arbitrary files via the...

AOL Client Software 9.0 uses insecure permissions for its installation path, which allows local users to execute arbitrary code with SYSTEM privileges by replacing ACSD.exe with a malicious program. Date published : 2005-08-17 http://www.securityfocus.com/bid/14530...

User.php in Gallery, as used in Postnuke, allows users with any Admin privileges to gain access to all galleries. Date published : 2005-08-17 http://www.securityfocus.com/bid/14547 http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=7048

Cross-site scripting (XSS) vulnerability in Dada Mail before 2.10 Alpha 1 allows remote attackers to execute arbitrary Javascript via archived messages. Date published : 2005-08-17 http://www.securityfocus.com/bid/14573 http://mojo.skazat.com/download/testing_2_10_0_alpha1.html

Apple Safari 1.3 (132) on Mac OS X 1.3.9 allows remote attackers to cause a denial of service (crash) via certain Javascript, possibly involving a function that defines a handler for itself within the...

Parlano MindAlign 5.0 and later versions uses weak encryption, with unknown impact and attack vectors. Date published : 2005-08-17 http://www.securityfocus.com/bid/14562 http://www.niscc.gov.uk/niscc/docs/br-20050812-00673.html?lang=en

Unknown vulnerability in Parlano MindAlign 5.0 and later versions allows remote attackers to bypass authentication via unknown vectors. Date published : 2005-08-17 http://www.securityfocus.com/bid/14562 http://www.niscc.gov.uk/niscc/docs/br-20050812-00673.html?lang=en

Parlano MindAlign 5.0 and later versions allows remote attackers to list valid users via unknown vectors, aka the "User Enumeration" vulnerability. Date published : 2005-08-17 http://www.securityfocus.com/bid/14562 http://www.niscc.gov.uk/niscc/docs/br-20050812-00673.html?lang=en