Monthly Archive: January 2006

Cross-site scripting (XSS) vulnerability in search.php in My Amazon Store Manager 1.0 allows remote attackers to inject arbitrary web script or HTML via the Keywords parameter. NOTE: some sources claim that the affected parameter...

Cross-site scripting (XSS) vulnerability in ar-blog 5.2 allows remote attackers to inject arbitrary web script or HTML via the (1) month or (2) year parameter to index.php. Date published : 2006-01-20 http://www.securityfocus.com/archive/1/422386/100/0/threaded http://www.securityfocus.com/archive/1/435205/100/0/threaded

Pantomime in Ecartis 1.0.0 snapshot 20050909 stores e-mail attachments in a publicly accessible directory, which may allow remote attackers to upload arbitrary files. Date published : 2006-01-20 http://www.securityfocus.com/bid/16317 http://marc.info/?l=listar-dev&m=113732552708625&w=2

Buffer overflow in Change passwd 3.1 (chpasswd) SquirrelMail plugin allows local users to execute arbitrary code via long command line arguments. Date published : 2006-01-20 http://www.securityfocus.com/archive/1/422414/100/0/threaded http://www.squirrelmail.org/plugin_view.php?id=117

Cross-site scripting (XSS) vulnerability in Gallery before 1.5.2 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving the user name (fullname). Date published : 2006-01-20 http://www.securityfocus.com/bid/16334 http://gallery.menalto.com/page/gallery_1_5_2_release

SQL injection vulnerability in HITSENSER Data Mart Server BS, BS-S, BS-M, BS-L, and EX allows remote attackers to execute arbitrary SQL commands via unknown attack vectors. Date published : 2006-01-20 http://www.securityfocus.com/bid/16326 http://www.hitachi-support.com/security_e/vuls_e/HS05-026_e/index-e.html

Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request. Date published : 2006-01-20...

TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to (1) thumbs.php, (2) showpic.php, or (3) tables.php, which causes them to incorrectly define a variable and reveal the path in...

Etomite Content Management System 0.6, and possibly earlier versions, when downloaded from the web site in January 2006 after January 10, contains a back door in manager/includes/todo.inc.php, which allows remote attackers to execute arbitrary...

crawl before 4.0.0 does not securely call programs when saving and loading games, which allows local users to gain privileges. Date published : 2006-01-20 http://www.securityfocus.com/bid/16337 http://www.debian.org/security/2006/dsa-949

Heap-based buffer overflow in the encodeURI and decodeURI functions in the kjs JavaScript interpreter engine in KDE 3.2.0 through 3.5.0 allows remote attackers to execute arbitrary code via a crafted, UTF-8 encoded URI. Date...

Cross-site scripting (XSS) vulnerability in PHlyMail before 3.3 Beta1 allows remote attackers to inject arbitrary Javascript via unknown attack vectors. Date published : 2006-01-19 http://www.securityfocus.com/bid/16310 http://phlymail.de/forum/viewtopic.php?t=842

SQL injection vulnerability in WebspotBlogging 3.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter to login.php. Date published : 2006-01-19 http://www.securityfocus.com/bid/16319 http://www.securityfocus.com/archive/1/422364/100/0/threaded

Unspecified vulnerability the edit comment formatting functionality in MediaWiki 1.5.x before 1.5.6 and 1.4.x before 1.4.14 allows attackers to cause a denial of service (infinite loop) via "certain malformed links." Date published : 2006-01-19...