Monthly Archive: September 2008

Multiple cross-site scripting (XSS) vulnerabilities in NooMS 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to smileys.php and the (2) q parameter to search.php. Date published...

SQL injection vulnerability in tr.php in DownlineGoldmine Special Category Addon, Downline Builder Pro, New Addon, and Downline Goldmine Builder allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of...

SQL injection vulnerability in search.php in Pre Real Estate Listings allows remote attackers to execute arbitrary SQL commands via the c parameter. Date published : 2008-09-23 http://www.securityfocus.com/bid/31192 https://www.exploit-db.com/exploits/6465

SQL injection vulnerability in izle.asp in FoT Video scripti 1.1 beta allows remote attackers to execute arbitrary SQL commands via the oyun parameter. Date published : 2008-09-23 http://www.securityfocus.com/bid/31166 https://www.exploit-db.com/exploits/6453

Multiple SQL injection vulnerabilities in Link Bid Script 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) ucat parameter to upgrade.php and the (2) id parameter to linkadmin/edit.php. Date published :...

Multiple cross-site scripting (XSS) vulnerabilities in index.php in Dynamic MP3 Lister 2.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) currentpath, (2) invert, (3) search, and (4) sort parameters....

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier...

The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the...

SQL injection vulnerability in ProArcadeScript 1.3 allows remote attackers to execute arbitrary SQL commands via the random parameter to the default URI. Date published : 2008-09-22 http://www.securityfocus.com/bid/31238 https://www.exploit-db.com/exploits/6486

SQL injection vulnerability in page.php in Cars & Vehicle (aka Cars-Vehicle Script) allows remote attackers to execute arbitrary SQL commands via the lnkid parameter. Date published : 2008-09-22 http://www.securityfocus.com/bid/31214 http://packetstormsecurity.org/0809-exploits/carsvehicle-sql.txt

SQL injection vulnerability in xmlout.php in Invision Power Board (IP.Board or IPB) 2.2.x and 2.3.x allows remote attackers to execute arbitrary SQL commands via the name parameter. Date published : 2008-09-22 http://www.securityfocus.com/bid/31288 http://forums.invisionpower.com/index.php?showtopic=276512

create_account.php in osCommerce 2.2 RC 2a allows remote attackers to obtain sensitive information via an invalid dob parameter, which reveals the installation path in an error message. Date published : 2008-09-22 http://www.securityfocus.com/bid/31209 http://www.securityfocus.com/archive/1/496417/100/0/threaded

SQL injection vulnerability in detaillist.php in iScripts EasyIndex, possibly 1.0, allows remote attackers to execute arbitrary SQL commands via the produid parameter. Date published : 2008-09-22 http://www.securityfocus.com/bid/31202 https://www.exploit-db.com/exploits/6467

Cross-site scripting (XSS) vulnerability in verify_login.jsp in Pro2col Stingray FTS allows remote attackers to inject arbitrary web script or HTML via the form_username parameter (aka user name field). Date published : 2008-09-22 http://www.securityfocus.com/bid/31148 http://www.securityfocus.com/archive/1/496302/100/0/threaded