Monthly Archive: February 2007

** DISPUTED ** PHP remote file inclusion vulnerability in upload/admin/team.php in Robin de Graff Somery 0.4.4 allows remote attackers to execute arbitrary PHP code via a URL in the checkauth parameter. NOTE: CVE disputes...

SQL injection vulnerability in item.php in PSY Auction allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from...

Cross-site scripting (XSS) vulnerability in email_request.php in PSY Auction allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. NOTE: the provenance of this information is unknown; the details are...

PHP remote file inclusion vulnerability in admin/index.php in Fusion Polls allows remote attackers to execute arbitrary PHP code via a URL in the xtrphome parameter. Date published : 2007-02-12 http://www.securityfocus.com/archive/1/437127/30/4380/threaded http://www.securityfocus.com/archive/1/441493/30/4380/threaded

Cross-site scripting (XSS) vulnerability in add_comment.php in Wheatblog (wB) 1.1 allows remote attackers to inject arbitrary web script or HTML via the Email field. NOTE: the provenance of this information is unknown; the details...

Directory traversal vulnerability in avatar.php in PhpMyChat Plus 1.9 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the L parameter, a different issue than CVE-2006-5897. NOTE: the...

Headstart Solutions DeskPRO allows remote attackers to obtain the full path via direct requests to (1) email/mail.php, (2) includes/init.php, (3) certain files in includes/cron/, and (4) jpgraph.php, (5) jpgraph_bar.php, (6) jpgraph_pie.php, and (7) jpgraph_pie3d.php...

attachment.php in Headstart Solutions DeskPRO allows remote attackers to read all uploaded files by providing the file number in a modified id parameter. Date published : 2007-02-12 http://www.zion-security.com/text/Mul_Vulnerability_DeskPro.txt

install/loader_help.php in Headstart Solutions DeskPRO allows remote attackers to obtain configuration information via a q=phpinfo QUERY_STRING, which calls the phpinfo function. Date published : 2007-02-12 http://www.zion-security.com/text/Mul_Vulnerability_DeskPro.txt

Unspecified vulnerability in a cryptographic feature in MailEnable Standard Edition before 1.93, Professional Edition before 1.73, and Enterprise Edition before 1.21 leads to "weakened authentication security" with unknown impact and attack vectors. NOTE: due...

Multiple cross-site scripting (XSS) vulnerabilities in warforge.NEWS 1.0 allow remote attackers to inject arbitrary HTML and web script via the (1) title and (2) newspost parameters to (a) newsadd.php, and the (3) name, title,...

mycontacts.php in V3 Chat allows remote authenticated users to gain privileges as other users via a modified membername parameter. Date published : 2007-02-12 http://www.securityfocus.com/bid/18543 http://www.securityfocus.com/archive/1/437755/100/200/threaded

Unrestricted file upload vulnerability in add.asp in OzzyWork Gallery, possibly 2.0 and earlier, allows remote attackers to upload and execute arbitrary ASP files by removing the client-side security checks. Date published : 2007-02-12 http://www.securityfocus.com/bid/17946...

Multiple SQL injection vulnerabilities in pages/addcomment2.php in Neuron Blog 1.1 allow remote attackers to inject arbitrary SQL commands via the (1) commentname, (2) commentmail, (3) commentwebsite, and (4) comment parameters. NOTE: the provenance of...