Monthly Archive: January 2007

Multiple PHP remote file inclusion vulnerabilities in Article System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_DIR parameter to (1) forms.php, (2) issue_edit.php, (3) client.php, and (4)...

Unspecified vulnerability in GONICUS System Administration (GOsa) before 2.5.8 allows remote authenticated users to modify certain settings, including the admin password, via crafted POST requests. Date published : 2007-01-17 http://oss.gonicus.de/pipermail/gosa/2007-January/002650.html http://osvdb.org/32821

wcSimple Poll stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password hashes via a direct request for password.txt. Date published : 2007-01-17 http://www.securityfocus.com/archive/1/456982/100/0/threaded http://osvdb.org/33539

Texas Imperial Software WFTPD and WFTPD Pro Server 3.25 and earlier allow remote attackers to cause a denial of service (application crash) via a long SITE ADMIN command. Date published : 2007-01-17 http://www.securityfocus.com/bid/22046 https://www.exploit-db.com/exploits/3126

BMC Remedy Action Request System 5.01.02 Patch 1267 generates different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to determine valid...

SQL injection vulnerability in blocks/block-Old_Articles.php in Francisco Burzi PHP-Nuke 7.9 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter. Date published...

Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles. Date published : 2007-01-17 http://www.securityfocus.com/bid/22051 http://www.plainblack.com/getwebgui/advisories/webgui-7_3_4-beta-released#BUeIjcWiQasypsJxD-YwgQ

PHP remote file inclusion vulnerability in include/common.php in Poplar Gedcom Viewer 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[rootPath] parameter. Date published : 2007-01-17 http://www.securityfocus.com/bid/22038...

SQL injection vulnerability in visu_user.asp in Digiappz DigiAffiliate 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. Date published : 2007-01-17 http://www.securityfocus.com/bid/22039 https://www.exploit-db.com/exploits/3122

SQL injection vulnerability in etkinlikbak.asp in Okul Web Otomasyon Sistemi 4.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. Date published : 2007-01-17 http://www.securityfocus.com/bid/22060 http://www.securityfocus.com/archive/1/456894/100/0/threaded

SQL injection vulnerability in duyuru.asp in MiNT Haber Sistemi 2.7 allows remote attackers to execute arbitrary SQL commands via the id parameter. Date published : 2007-01-17 https://www.exploit-db.com/exploits/3120 http://osvdb.org/32820

Multiple unspecified vulnerabilities in Zina 1.0rc1 and earlier have unknown impact and attack vectors related to "Potential security bugs." Date published : 2007-01-17 http://www.securityfocus.com/bid/22049 http://www.pancake.org/zina-changelog-12

Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters...

PHP remote file inclusion vulnerability in _admin/admin_menu.php in FdWeB Espace Membre 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. Date published : 2007-01-17 http://www.securityfocus.com/bid/22040...