Monthly Archive: May 2006

The viewfile servlet in the documentation package (resin-doc) for Caucho Resin 3.0.17 and 3.0.18 allows remote attackers to obtain the source code for file under the web root via the file parameter. Date published...

WebSphere Application Server 5.0.2 (or any earlier cumulative fix) stores admin and LDAP passwords in plaintext in the FFDC logs when a login to WebSphere fails, which allows attackers to gain privileges. Date published...

Unspecified vulnerability in IBM WebSphere Application Server 5.0.2 and earlier, and 5.1.1 and earlier, has unknown impact and attack vectors related to "Inserting certain script tags in urls [that] may allow unintended execution of...

Unspecified vulnerability in WebSphere 5.1.1 (or any earlier cumulative fix) Common Configuration Mode + CommonArchive and J2EE Models might allow attackers to obtain sensitive information via the trace. Date published : 2006-05-17 http://archives.neohapsis.com/archives/bugtraq/2006-05/0175.html http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006879

Unspecified vulnerability in IBM WebSphere Application Server 6.0.2, 6.0.2.1, 6.0.2.3, 6.0.2.5, and 6.0.2.7 has unknown impact and attack vectors related to the "administrative console". Date published : 2006-05-17 http://www-1.ibm.com/support/search.wss?rs=0&q=PK17838&apar=only http://archives.neohapsis.com/archives/bugtraq/2006-05/0175.html

IBM WebSphere Application Server 5.0.2 (or any earlier cumulative fix) and 5.1.1 (or any earlier cumulative fix) allows EJB access on Solaris systems via a crafted LTPA token. Date published : 2006-05-17 http://www-1.ibm.com/support/search.wss?rs=0&q=PK19195&apar=only http://archives.neohapsis.com/archives/bugtraq/2006-05/0175.html

Cross-site scripting (XSS) vulnerability in the 500 Internal Server Error page on the SOAP port (8880/tcp) in IBM WebSphere Application Server 5.0.2 and earlier, 5.1.x before 5.1.1.12, and 6.0.2 up to 6.0.2.7, allows remote...

IBM WebSphere Application Server 5.0.2 and earlier, 5.1.1 and earlier, and 6.0.2 up to 6.0.2.7 records user credentials in plaintext in addNode.log, which allows attackers to gain privileges. Date published : 2006-05-17 http://www-1.ibm.com/support/search.wss?rs=0&q=PK16492&apar=only http://www-1.ibm.com/support/docview.wss?rs=0&dc=DB550&q1=PK16492&uid=swg1PK22416&loc=en_US&cs=utf-8&lang=

Unspecified vulnerability in IBM WebSphere Application Server 6.0.2, 6.0.2.1, 6.0.2.3, 6.0.2.5, and 6.0.2.7 has unknown impact and remote attack vectors related to "HTTP request handlers". Date published : 2006-05-17 http://www-1.ibm.com/support/docview.wss?rs=0&dc=DB550&q1=PK12319&uid=swg1PK16502&loc=en_US&cs=utf-8&lang= http://www-1.ibm.com/support/docview.wss?rs=0&dc=DB550&q1=PK12319&uid=swg1PK16502&loc=en_US&cs=utf-8&lang=

add.asp in DUware DUbanner 3.1 allows remote attackers to execute arbitrary code by uploading files with arbitrary extensions, such as ASP files, probably due to client-side enforcement that can be bypassed. NOTE: some of...

freshclam in (1) Clam Antivirus (ClamAV) 0.88 and (2) ClamXav 1.0.3h and earlier does not drop privileges before processing the config-file command line option, which allows local users to read portions of arbitrary files...

Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 and earlier, and SDK 1.5.0_6 and earlier allows remote attackers to cause a denial of service (disk consumption) by using the Font.createFont function to...

Multiple cross-site scripting (XSS) vulnerabilities in PRV.php in PhpRemoteView, possibly 2003-10-23 and earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) f, (2) d, and (3) ref parameters, and...

PHP remote file inclusion vulnerability in ezUserManager 1.6 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the ezUserManager_Path parameter to ezusermanager_pwd_forgott.php, possibly due to...